SSO fallback to UserInfo preferred_username by @Timshel in #7128
Dummy identifier need to pass for a guid by @Timshel in #7154
add new /identity/accounts/prelogin/password by @stefan0xC in #7156
Add DuckDuckGo browser device type by @dfunkt in #7147
Apply duration_suboptimal_units lint findings by @dfunkt in #7144
Apply ref_option lint findings by @dfunkt in #7143
Fix hardcoded sso identifier by @Timshel in #7157
Update crates and fix a nightly lint by @BlackDex in #7161
Fix Host/IP resolving by @BlackDex in #7162
Several SSO Fixes by @BlackDex in #7163
Add support for archiving items by @matt-aaron in #6916
Fix favicon fetching to check all icon links instead of just the first one by @Shocker in #6880
Fix merge conflict by @dani-garcia in #7164
Replace organization_uuid unwrap with proper error handling by @xjohnyknox in #6936
fix: return Err instead of panic on unknown cipher atype in to_json() by @mango766 in #7068
Allow SQLite to be linked against dynamically by @ISSOtm in #7057
Update crates and web-vault by @BlackDex in #7171
Update hickory by @BlackDex in #7175

New Contributors

@matt-aaron made their first contribution in #6916
@Shocker made their first contribution in #6880
@xjohnyknox made their first contribution in #6936
@mango766 made their first contribution in #7068
@ISSOtm made their first contribution in #7057

Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.35.8...1.36.0

You can discuss this release here https://github.com/dani-garcia/vaultwarden/discussions/7177

`v1.35.8`

Compare Source

What's Changed

Dummy org Master password policy auth fix by @Timshel in #7097
Fix recovery-code not working by @BlackDex in #7102
Fix invalid refresh token response by @BlackDex in #7105
Update Rust, Crates, GHA and fix a DNS issue by @BlackDex in #7108
Update web-vault and crates by @BlackDex in #7121

Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.35.7...1.35.8

`v1.35.7`

Compare Source

What's Changed

Fix 2FA for Android by @BlackDex in #7093

Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.35.6...1.35.7

`v1.35.6`

Compare Source

Notes

The previous release contained an issue where Two Factor Remember Tokens and Recovery Tokens were not accepted at all.
This has been fixed now in this release.

What's Changed

Fix MFA Remember by @BlackDex in #7085

Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.35.5...1.35.6

`v1.35.5`

Compare Source

Security Fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.

GHSA-937x-3j8m-7w7p Unconfirmed Owner Can Purge Entire Organization Vault.
GHSA-569v-845w-g82p Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another Organization
GHSA-6j4w-g4jh-xjfx Refresh tokens not invalidated on security stamp rotation

These are private for now, pending CVE assignment.

Notes

The admin templates have changed, please update them if you override these via templates.
Two Factor Remember Tokens are now valid for max 30 days. Old tokens are invalid directly after upgrading.

What's Changed

apply policies only to confirmed members by @stefan0xC in #6892
Feat(config): add feature flag for Safari account switching by @DerPlayer2001 in #6891
fix: add ForcePasswordReset to api key login by @montdidier in #6904
Add Webauthn related origins flag to known flags. by @pasarenicu in #6900
Add 30s cache to SSO exchange_refresh_token by @Timshel in #6866
Add cxp-import-mobile and cxp-export-mobile: feature flags on mobile by @phoeagon in #6853
Misc updates and fixes by @BlackDex in #6910
Support new desktop origin on CORS by @dani-garcia in #6920
Fix checkout action version by @dfunkt in #6921
Fix apikey login by @BlackDex in #6922
Fix email header base64 padding by @BlackDex in #6961
Update Feature Flags by @BlackDex in #6981
Update crates and GHA by @BlackDex in #6980
Use protected CI environment by @dani-garcia in #7004
Fix 2FA Remember to actually be 30 days by @BlackDex in #6929
Misc Updates by @BlackDex in #7027
Switch to attest action by @dfunkt in #7017
Rotate refresh-tokens on sstamp reset by @BlackDex in #7031
Misc org fixes by @BlackDex in #7032
Fix empty string FolderId by @BlackDex in #7048
Disable deployments for release env by @dfunkt in #7033
Fix Send icons by @BlackDex in #7051
prevent managers from creating collections by @stefan0xC in #6890
Change SQLite backup to use VACUUM INTO query by @getaaron in #6989
Handle SIGTERM and SIGQUIT shutdown signals. by @0x484558 in #7008
Do not display unavailable 2FA options by @0x484558 in #7013
Fix logout push identifiers and send logout before clearing devices by @qaz741wsd856 in #7047
Fix windows build issues by @idontneedonetho in #7065
Crate and GHA updates by @BlackDex in #7081

New Contributors

@DerPlayer2001 made their first contribution in #6891
@montdidier made their first contribution in #6904
@pasarenicu made their first contribution in #6900
@phoeagon made their first contribution in #6853
@getaaron made their first contribution in #6989
@0x484558 made their first contribution in #7008
@qaz741wsd856 made their first contribution in #7047
@idontneedonetho made their first contribution in #7065

Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.35.4...1.35.5

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [vaultwarden/server](https://github.com/dani-garcia/vaultwarden) | minor | `1.35.4` → `1.36.0` | --- ### Release Notes <details> <summary>dani-garcia/vaultwarden (vaultwarden/server)</summary> ### [`v1.36.0`](https://github.com/dani-garcia/vaultwarden/releases/tag/1.36.0) [Compare Source](https://github.com/dani-garcia/vaultwarden/compare/1.35.8...1.36.0) #### Security Fixes This release contains security fixes for the following advisories. We strongly advice to update as soon as possible. - SSO Login CSRF [GHSA-pfp2-jhgq-6hg5](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-pfp2-jhgq-6hg5) [GHSA-w6h6-8r66-hcv7](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-w6h6-8r66-hcv7) - User/Organization Enumeration [GHSA-hxqh-ff5p-wfr3](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-hxqh-ff5p-wfr3) - SSO existing-user binding [GHSA-j4j8-gpvj-7fqr](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-j4j8-gpvj-7fqr) [GHSA-6x5c-84vm-5j56](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-6x5c-84vm-5j56) - SSRF via Icon Endpoint [GHSA-72vh-x5jq-m82g](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-72vh-x5jq-m82g) - Some crate's updated and other minor security enhancements These are private for now, pending CVE assignment. #### Notes - Archiving of items is available <https://bitwarden.com/blog/keep-your-vault-tidy-with-item-archiving/> <https://bitwarden.com/nl-nl/help/managing-items/#archive> - Web Vault updated to v2026.4.1 #### What's Changed - SSO fallback to UserInfo preferred\_username by [@Timshel](https://github.com/Timshel) in [#7128](https://github.com/dani-garcia/vaultwarden/pull/7128) - Dummy identifier need to pass for a guid by [@Timshel](https://github.com/Timshel) in [#7154](https://github.com/dani-garcia/vaultwarden/pull/7154) - add new /identity/accounts/prelogin/password by [@stefan0xC](https://github.com/stefan0xC) in [#7156](https://github.com/dani-garcia/vaultwarden/pull/7156) - Add DuckDuckGo browser device type by [@dfunkt](https://github.com/dfunkt) in [#7147](https://github.com/dani-garcia/vaultwarden/pull/7147) - Apply `duration_suboptimal_units` lint findings by [@dfunkt](https://github.com/dfunkt) in [#7144](https://github.com/dani-garcia/vaultwarden/pull/7144) - Apply `ref_option` lint findings by [@dfunkt](https://github.com/dfunkt) in [#7143](https://github.com/dani-garcia/vaultwarden/pull/7143) - Fix hardcoded sso identifier by [@Timshel](https://github.com/Timshel) in [#7157](https://github.com/dani-garcia/vaultwarden/pull/7157) - Update crates and fix a nightly lint by [@BlackDex](https://github.com/BlackDex) in [#7161](https://github.com/dani-garcia/vaultwarden/pull/7161) - Fix Host/IP resolving by [@BlackDex](https://github.com/BlackDex) in [#7162](https://github.com/dani-garcia/vaultwarden/pull/7162) - Several SSO Fixes by [@BlackDex](https://github.com/BlackDex) in [#7163](https://github.com/dani-garcia/vaultwarden/pull/7163) - Add support for archiving items by [@matt-aaron](https://github.com/matt-aaron) in [#6916](https://github.com/dani-garcia/vaultwarden/pull/6916) - Fix favicon fetching to check all icon links instead of just the first one by [@Shocker](https://github.com/Shocker) in [#6880](https://github.com/dani-garcia/vaultwarden/pull/6880) - Fix merge conflict by [@dani-garcia](https://github.com/dani-garcia) in [#7164](https://github.com/dani-garcia/vaultwarden/pull/7164) - Replace organization\_uuid unwrap with proper error handling by [@xjohnyknox](https://github.com/xjohnyknox) in [#6936](https://github.com/dani-garcia/vaultwarden/pull/6936) - fix: return Err instead of panic on unknown cipher atype in to\_json() by [@mango766](https://github.com/mango766) in [#7068](https://github.com/dani-garcia/vaultwarden/pull/7068) - Allow SQLite to be linked against dynamically by [@ISSOtm](https://github.com/ISSOtm) in [#7057](https://github.com/dani-garcia/vaultwarden/pull/7057) - Update crates and web-vault by [@BlackDex](https://github.com/BlackDex) in [#7171](https://github.com/dani-garcia/vaultwarden/pull/7171) - Update hickory by [@BlackDex](https://github.com/BlackDex) in [#7175](https://github.com/dani-garcia/vaultwarden/pull/7175) #### New Contributors - [@matt-aaron](https://github.com/matt-aaron) made their first contribution in [#6916](https://github.com/dani-garcia/vaultwarden/pull/6916) - [@Shocker](https://github.com/Shocker) made their first contribution in [#6880](https://github.com/dani-garcia/vaultwarden/pull/6880) - [@xjohnyknox](https://github.com/xjohnyknox) made their first contribution in [#6936](https://github.com/dani-garcia/vaultwarden/pull/6936) - [@mango766](https://github.com/mango766) made their first contribution in [#7068](https://github.com/dani-garcia/vaultwarden/pull/7068) - [@ISSOtm](https://github.com/ISSOtm) made their first contribution in [#7057](https://github.com/dani-garcia/vaultwarden/pull/7057) **Full Changelog**: <https://github.com/dani-garcia/vaultwarden/compare/1.35.8...1.36.0> You can discuss this release here <https://github.com/dani-garcia/vaultwarden/discussions/7177> ### [`v1.35.8`](https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.8) [Compare Source](https://github.com/dani-garcia/vaultwarden/compare/1.35.7...1.35.8) #### What's Changed - Dummy org Master password policy auth fix by [@Timshel](https://github.com/Timshel) in [#7097](https://github.com/dani-garcia/vaultwarden/pull/7097) - Fix recovery-code not working by [@BlackDex](https://github.com/BlackDex) in [#7102](https://github.com/dani-garcia/vaultwarden/pull/7102) - Fix invalid refresh token response by [@BlackDex](https://github.com/BlackDex) in [#7105](https://github.com/dani-garcia/vaultwarden/pull/7105) - Update Rust, Crates, GHA and fix a DNS issue by [@BlackDex](https://github.com/BlackDex) in [#7108](https://github.com/dani-garcia/vaultwarden/pull/7108) - Update web-vault and crates by [@BlackDex](https://github.com/BlackDex) in [#7121](https://github.com/dani-garcia/vaultwarden/pull/7121) **Full Changelog**: <https://github.com/dani-garcia/vaultwarden/compare/1.35.7...1.35.8> ### [`v1.35.7`](https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.7) [Compare Source](https://github.com/dani-garcia/vaultwarden/compare/1.35.6...1.35.7) #### What's Changed - Fix 2FA for Android by [@BlackDex](https://github.com/BlackDex) in [#7093](https://github.com/dani-garcia/vaultwarden/pull/7093) **Full Changelog**: <https://github.com/dani-garcia/vaultwarden/compare/1.35.6...1.35.7> ### [`v1.35.6`](https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.6) [Compare Source](https://github.com/dani-garcia/vaultwarden/compare/1.35.5...1.35.6) #### Notes The previous release contained an issue where Two Factor Remember Tokens and Recovery Tokens were not accepted at all. This has been fixed now in this release. #### What's Changed - Fix MFA Remember by [@BlackDex](https://github.com/BlackDex) in [#7085](https://github.com/dani-garcia/vaultwarden/pull/7085) **Full Changelog**: <https://github.com/dani-garcia/vaultwarden/compare/1.35.5...1.35.6> ### [`v1.35.5`](https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.5) [Compare Source](https://github.com/dani-garcia/vaultwarden/compare/1.35.4...1.35.5) #### Security Fixes This release contains security fixes for the following advisories. We strongly advice to update as soon as possible. - [GHSA-937x-3j8m-7w7p](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-937x-3j8m-7w7p) Unconfirmed Owner Can Purge Entire Organization Vault. - [GHSA-569v-845w-g82p](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-569v-845w-g82p) Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another Organization - [GHSA-6j4w-g4jh-xjfx](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-6j4w-g4jh-xjfx) Refresh tokens not invalidated on security stamp rotation These are private for now, pending CVE assignment. #### Notes - The admin templates have changed, please update them if you override these via templates. - Two Factor Remember Tokens are now valid for max 30 days. Old tokens are invalid directly after upgrading. #### What's Changed - apply policies only to confirmed members by [@stefan0xC](https://github.com/stefan0xC) in [#6892](https://github.com/dani-garcia/vaultwarden/pull/6892) - Feat(config): add feature flag for Safari account switching by [@DerPlayer2001](https://github.com/DerPlayer2001) in [#6891](https://github.com/dani-garcia/vaultwarden/pull/6891) - fix: add ForcePasswordReset to api key login by [@montdidier](https://github.com/montdidier) in [#6904](https://github.com/dani-garcia/vaultwarden/pull/6904) - Add Webauthn related origins flag to known flags. by [@pasarenicu](https://github.com/pasarenicu) in [#6900](https://github.com/dani-garcia/vaultwarden/pull/6900) - Add 30s cache to SSO exchange\_refresh\_token by [@Timshel](https://github.com/Timshel) in [#6866](https://github.com/dani-garcia/vaultwarden/pull/6866) - Add cxp-import-mobile and cxp-export-mobile: feature flags on mobile by [@phoeagon](https://github.com/phoeagon) in [#6853](https://github.com/dani-garcia/vaultwarden/pull/6853) - Misc updates and fixes by [@BlackDex](https://github.com/BlackDex) in [#6910](https://github.com/dani-garcia/vaultwarden/pull/6910) - Support new desktop origin on CORS by [@dani-garcia](https://github.com/dani-garcia) in [#6920](https://github.com/dani-garcia/vaultwarden/pull/6920) - Fix `checkout` action version by [@dfunkt](https://github.com/dfunkt) in [#6921](https://github.com/dani-garcia/vaultwarden/pull/6921) - Fix apikey login by [@BlackDex](https://github.com/BlackDex) in [#6922](https://github.com/dani-garcia/vaultwarden/pull/6922) - Fix email header base64 padding by [@BlackDex](https://github.com/BlackDex) in [#6961](https://github.com/dani-garcia/vaultwarden/pull/6961) - Update Feature Flags by [@BlackDex](https://github.com/BlackDex) in [#6981](https://github.com/dani-garcia/vaultwarden/pull/6981) - Update crates and GHA by [@BlackDex](https://github.com/BlackDex) in [#6980](https://github.com/dani-garcia/vaultwarden/pull/6980) - Use protected CI environment by [@dani-garcia](https://github.com/dani-garcia) in [#7004](https://github.com/dani-garcia/vaultwarden/pull/7004) - Fix 2FA Remember to actually be 30 days by [@BlackDex](https://github.com/BlackDex) in [#6929](https://github.com/dani-garcia/vaultwarden/pull/6929) - Misc Updates by [@BlackDex](https://github.com/BlackDex) in [#7027](https://github.com/dani-garcia/vaultwarden/pull/7027) - Switch to `attest` action by [@dfunkt](https://github.com/dfunkt) in [#7017](https://github.com/dani-garcia/vaultwarden/pull/7017) - Rotate refresh-tokens on sstamp reset by [@BlackDex](https://github.com/BlackDex) in [#7031](https://github.com/dani-garcia/vaultwarden/pull/7031) - Misc org fixes by [@BlackDex](https://github.com/BlackDex) in [#7032](https://github.com/dani-garcia/vaultwarden/pull/7032) - Fix empty string FolderId by [@BlackDex](https://github.com/BlackDex) in [#7048](https://github.com/dani-garcia/vaultwarden/pull/7048) - Disable deployments for release env by [@dfunkt](https://github.com/dfunkt) in [#7033](https://github.com/dani-garcia/vaultwarden/pull/7033) - Fix Send icons by [@BlackDex](https://github.com/BlackDex) in [#7051](https://github.com/dani-garcia/vaultwarden/pull/7051) - prevent managers from creating collections by [@stefan0xC](https://github.com/stefan0xC) in [#6890](https://github.com/dani-garcia/vaultwarden/pull/6890) - Change SQLite backup to use VACUUM INTO query by [@getaaron](https://github.com/getaaron) in [#6989](https://github.com/dani-garcia/vaultwarden/pull/6989) - Handle `SIGTERM` and `SIGQUIT` shutdown signals. by [@0x484558](https://github.com/0x484558) in [#7008](https://github.com/dani-garcia/vaultwarden/pull/7008) - Do not display unavailable 2FA options by [@0x484558](https://github.com/0x484558) in [#7013](https://github.com/dani-garcia/vaultwarden/pull/7013) - Fix logout push identifiers and send logout before clearing devices by [@qaz741wsd856](https://github.com/qaz741wsd856) in [#7047](https://github.com/dani-garcia/vaultwarden/pull/7047) - Fix windows build issues by [@idontneedonetho](https://github.com/idontneedonetho) in [#7065](https://github.com/dani-garcia/vaultwarden/pull/7065) - Crate and GHA updates by [@BlackDex](https://github.com/BlackDex) in [#7081](https://github.com/dani-garcia/vaultwarden/pull/7081) #### New Contributors - [@DerPlayer2001](https://github.com/DerPlayer2001) made their first contribution in [#6891](https://github.com/dani-garcia/vaultwarden/pull/6891) - [@montdidier](https://github.com/montdidier) made their first contribution in [#6904](https://github.com/dani-garcia/vaultwarden/pull/6904) - [@pasarenicu](https://github.com/pasarenicu) made their first contribution in [#6900](https://github.com/dani-garcia/vaultwarden/pull/6900) - [@phoeagon](https://github.com/phoeagon) made their first contribution in [#6853](https://github.com/dani-garcia/vaultwarden/pull/6853) - [@getaaron](https://github.com/getaaron) made their first contribution in [#6989](https://github.com/dani-garcia/vaultwarden/pull/6989) - [@0x484558](https://github.com/0x484558) made their first contribution in [#7008](https://github.com/dani-garcia/vaultwarden/pull/7008) - [@qaz741wsd856](https://github.com/qaz741wsd856) made their first contribution in [#7047](https://github.com/dani-garcia/vaultwarden/pull/7047) - [@idontneedonetho](https://github.com/idontneedonetho) made their first contribution in [#7065](https://github.com/dani-garcia/vaultwarden/pull/7065) **Full Changelog**: <https://github.com/dani-garcia/vaultwarden/compare/1.35.4...1.35.5> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate-bot added 1 commit

2026-04-27 09:51:07 +00:00

Update vaultwarden/server Docker tag to v1.35.8 7c3f2023de

renovate-bot force-pushed renovate/vaultwarden-server-1.x from 7c3f2023de to add88ee2d4

2026-05-04 00:04:08 +00:00

Compare

renovate-bot changed title from ~~Update vaultwarden/server Docker tag to v1.35.8~~ to Update vaultwarden/server Docker tag to v1.36.0

2026-05-04 00:04:08 +00:00

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/vaultwarden-server-1.x:renovate/vaultwarden-server-1.x

git switch renovate/vaultwarden-server-1.x

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master

git merge --no-ff renovate/vaultwarden-server-1.x

git switch renovate/vaultwarden-server-1.x

git rebase master

git switch master

git merge --ff-only renovate/vaultwarden-server-1.x

git switch renovate/vaultwarden-server-1.x

git rebase master

git switch master

git merge --no-ff renovate/vaultwarden-server-1.x

git switch master

git merge --squash renovate/vaultwarden-server-1.x

git switch master

git merge --ff-only renovate/vaultwarden-server-1.x

git switch master

git merge renovate/vaultwarden-server-1.x

git push origin master

No reviewers

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

peter/homelab-docker-config!321

No description provided.

Rows
Columns