Software-update: Vaultwarden 1.36.0

Vaultwarden is een onofficiële in Rust ontwikkelde implementatie van de Bitwarden wachtwoordmanager. Het gaat alleen om de serverkant van de wachtwoordmanager; voor de clients kan de officiële software van Bitwarden worden gebruikt. Vaultwarden is lichter in gebruik en heeft ook functionaliteit waarvoor bij Bitwarden moet worden betaald, waaronder het beheer van wachtwoorden op organisatieniveau. Versie 1.36.0 van Vaultwarden is uitgekomen en hierin zijn de volgende veranderingen en verbeteringen aangebracht:

Security Fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.

SSO Login CSRFGHSA-pfp2-jhgq-6hg5GHSA-w6h6-8r66-hcv7User/Organization EnumerationGHSA-hxqh-ff5p-wfr3SSO existing-user bindingGHSA-j4j8-gpvj-7fqrGHSA-6x5c-84vm-5j56SSRF via Icon EndpointGHSA-72vh-x5jq-m82gSome crate's updated and other minor security enhancements

SSO Login CSRFGHSA-pfp2-jhgq-6hg5GHSA-w6h6-8r66-hcv7

User/Organization EnumerationGHSA-hxqh-ff5p-wfr3

SSO existing-user bindingGHSA-j4j8-gpvj-7fqrGHSA-6x5c-84vm-5j56

SSRF via Icon EndpointGHSA-72vh-x5jq-m82g

Some crate's updated and other minor security enhancements

These are private for now, pending CVE assignment.

Notes

Archiving of items is availablehttps://bitwarden.com/blog/keep-your-vault-tidy-with-item-archiving/https://bitwarden.com/nl-nl/help/managing-items/#archiveWeb Vault updated to v2026.4.1

Archiving of items is availablehttps://bitwarden.com/blog/keep-your-vault-tidy-with-item-archiving/https://bitwarden.com/nl-nl/help/managing-items/#archive

Web Vault updated to v2026.4.1

What's Changed

SSO fallback to UserInfo preferred_username in #7128Dummy identifier need to pass for a guid in #7154add new /identity/accounts/prelogin/password in #7156Add DuckDuckGo browser device type in #7147Apply duration_suboptimal_units lint findings in #7144Apply ref_option lint findings in #7143Fix hardcoded sso identifier in #7157Update crates and fix a nightly lint in #7161Fix Host/IP resolving in #7162Several SSO Fixes in #7163Add support for archiving items in #6916Fix favicon fetching to check all icon links instead of just the first one in #6880Fix merge conflict in #7164Replace organization_uuid unwrap with proper error handling in #6936fix: return Err instead of panic on unknown cipher atype in to_json() in #7068Allow SQLite to be linked against dynamically in #7057Update crates and web-vault in #7171Update hickory in #7175

SSO fallback to UserInfo preferred_username in #7128

Dummy identifier need to pass for a guid in #7154

add new /identity/accounts/prelogin/password in #7156

Add DuckDuckGo browser device type in #7147

Apply duration_suboptimal_units lint findings in #7144

Apply ref_option lint findings in #7143

Fix hardcoded sso identifier in #7157

Update crates and fix a nightly lint in #7161

Fix Host/IP resolving in #7162

Several SSO Fixes in #7163

Add support for archiving items in #6916

Fix favicon fetching to check all icon links instead of just the first one in #6880

Fix merge conflict in #7164

Replace organization_uuid unwrap with proper error handling in #6936

fix: return Err instead of panic on unknown cipher atype in to_json() in #7068

Allow SQLite to be linked against dynamically in #7057

Update crates and web-vault in #7171

Update hickory in #7175

Source: Tweakers.net