1.33.0

Security Fixes

This release contains security fixes for the following advisories.
And we strongly advice to update as soon as possible.

• GHSA-f7r5-w49x-gxm3
  This vulnerability is only possible if you do not have an ADMIN_TOKEN configured and open links or pages you should not trust anyway. Ensure you have an ADMIN_TOKEN configured to keep your admin environment save.
• GHSA-h6cc-rc6q-23j4
  This vulnerability is only possible if someone was able to gain access to your Vaultwarden Admin Backend. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email.
• GHSA-j4h8-vch3-f797
  This vulnerability affects all users who have multiple Organizations and users which are able to create a new organization or have admin or owner rights on at least one organization. The attacker does need to know the Organization UUID of the Organization it want's to attack or compromise though.

Notable changes

• Updated web-vault to v2025.1.1
• Added partial manage role support for collections
• Manager role is converted to a Custom role with either Manage All Collections or per collection.
  Admins and Owners probably want to check and verify if the rights are still correct.
• The OCI containers and binaries are signed via GitHub Attestations
  This allows you to verify an OCI image or even the vaultwarden binary located within the OCI image.

These vulnerabilities affects

What's Changed

• Add inline-menu-positioning-improvements feature flag by @Ephemera42 in #5313
• Fix issues when uri match is a string by @BlackDex in #5332
• Add TOTP delete endpoint by @Timshel in #5327
• fix group issue in send_invite by @stefan0xC in #5321
• Update crates and GHA by @BlackDex in #5346
• Refactor the uri match fix and fix ssh-key sync by @BlackDex in #5339
• Add partial role support for manager only using web-vault v2024.12.0 by @BlackDex in #5219
• Fix issue with key-rotate by @BlackDex in #5348
• fix manager role in admin users overview by @stefan0xC in #5359
• Prevent new users/members to be stored in db when invite fails by @BlackDex in #5350
• Update crates and web-vault to v2025.1.0 by @BlackDex in #5368
• Allow building with Rust v1.84.0 or newer by @BlackDex in #5371
• rename membership and adopt newtype pattern by @stefan0xC in #5320
• build: raise msrv (1.83.0) rust toolchain (1.84.0) by @tessus in #5374
• Fix an issue with login with device by @BlackDex in #5379
• refactor: replace static with const for global constants by @Integral-Tech in #5260
• Add Attestations for containers and artifacts by @BlackDex in #5378
• Fix version detection on bake by @BlackDex in #5382
• Simplify container image attestation by @dfunkt in #5387
• improve admin invite by @stefan0xC in #5403
• Add manage role for collections and groups by @BlackDex in #5386
• update web-vault to v2025.1.1 and add /api/devices by @stefan0xC in #5422
• Security fixes by @BlackDex in #5438
• only validate SMTP_FROM if necessary by @stefan0xC in #5442

New Contributors

• @Ephemera42 made their first contribution in #5313
• @Integral-Tech made their first contribution in #5260

Full Changelog: 1.32.7...1.33.0

1.32.7

Security Fixes

This release contains a security fix for the following CVE GHSA-g65h-982x-4m5m.

This vulnerability affects any installations that have the ORG_GROUPS_ENABLED setting enabled, and we urge anyone doing so to update as soon as possible.

What's Changed

• feat: mask _smtp_img_src in support string by @tessus in #5281
• Some refactoring, optimizations and security fixes by @BlackDex in #5291
• Allow adding connect-src entries by @BlackDex in #5293
• Use updated fern instead of patch by @BlackDex in #5298

Full Changelog: 1.32.6...1.32.7

1.32.6

What's Changed

• Fix push not working by @BlackDex in #5214
• Fix editing members which have access-all rights by @BlackDex in #5213
• chore: fix some comments by @chuangjinglu in #5224
• Update Rust and crates by @BlackDex in #5248
• Update Alpine to version 3.21 by @dfunkt in #5256
• Fix another sync issue with native clients by @BlackDex in #5259
• Update crates by @dfunkt in #5268
• Some Backend Admin fixes and updates by @BlackDex in #5272

New Contributors

• @chuangjinglu made their first contribution in #5224

Full Changelog: 1.32.5...1.32.6

1.32.5

Security Fixes

This release further fixed some CVE Reports reported by a third party security auditor and we recommend everybody to update to the latest version as soon as possible. The contents of these reports will be disclosed publicly in the future.

Notable changes

• Added SSH-Key storage support. Currently only usable with Bitwarden Desktop v2024.12.0 and newer.
  You need to enable this feature by adding ssh-key-vault-item,ssh-agent to the EXPERIMENTAL_CLIENT_FEATURE_FLAGS config option. See .env.template

What's Changed

• Fix if logic error by @BlackDex in #5171
• More authrequest fixes by @dani-garcia in #5176
• Add dynamic CSS support by @BlackDex in #4940
• fix hibp username encoding and pw hint check by @BlackDex in #5180
• Remove auth-request deletion by @BlackDex in #5184
• fix password hint check by @stefan0xC in #5189
• don't infer manage permission for groups by @stefan0xC in #5190
• Some more authrequest changes by @dani-garcia in #5188
• Support SSH keys on desktop 2024.12 by @dani-garcia in #5187
• Fix Org Import duplicate collections by @BlackDex in #5200

Full Changelog: 1.32.4...1.32.5

1.32.4

Security Fixes

This release has fixed some CVE Reports reported by a third party security auditor and we recommend everybody to update to the latest version as soon as possible. The contents of these reports will be disclosed publicly in the future.

Notable changes

• Added more compatibility fixes for the native mobile apps, datetimes are now formatted without too many decimals.
• Email Template changes to the send emergency access invite. If you have modified this template, make sure to update it with the new changes.

What's Changed

• Update README by @BlackDex in #5153

Full Changelog: 1.32.3...1.32.4

1.32.3

Notable changes

• Email template for org invites was updated again. The URL got HTML Encoded which resulted in a sometimes non-working URL (#5100)
• Fixed SMTP issues with some providers which send erroneous response to QUIT messages (Like QQ) (Thanks to @paolobarbolini)
• Fixed a long standing collection management issue where collections were not able to be managed via the Password Manager overview

What's Changed

• Fix iOS sync by converting field types to int by @BlackDex in #5081
• Fix field type to actually be hidden by @BlackDex in #5082
• Fix org invite url being html encoded by @BlackDex in #5100
• Update Rust to 1.82.0 by @dfunkt in #5099
• Fix collection management and match some json output by @BlackDex in #5095
• Add extension-refresh feature flag by @dfunkt in #5106
• Hide user name on invite status by @BlackDex in #5110
• Add documentation for the extension-refresh feature flag by @dfunkt in #5112
• Update crates and fix Mail issue by @BlackDex in #5125

Full Changelog: 1.32.2...1.32.3

1.32.2

Notable changes

• Fixed collection management for managers

What's Changed

• Fix compiling for Windows targets by @BlackDex in #5053
• Updates and collection management fixes by @BlackDex in #5072
• Fix --version from failing without config by @BlackDex in #5055

Full Changelog: 1.32.1...1.32.2

1.32.1

Notable changes

• Fixed syncing/login with native mobile clients
• Added CLI option to backup SQLite database
• Email Template changes regarding invites, 2FA Incomplete logins, and new logins

What's Changed

• Update GitHub Action Workflows by @BlackDex in #4849
• Fix Duo Redirect not using path by @BlackDex in #4862
• Fix manager in web-vault v2024.6.2 for collections by @BlackDex in #4860
• Update email footer padding values by @dfunkt in #4838
• Remove unecessary email normalization by @Timshel in #4840
• Fix Vaultwarden Admin page error messages by @BlackDex in #4869
• Update issue template by @BlackDex in #4876
• remove overzealous sanity check by @stefan0xC in #4879
• Fix Login with device by @BlackDex in #4878
• Switch to Whitelisting in .dockerignore by @Timshel in #4856
• Remove version from server config info by @zacknewman in #4885
• Update issue template by @BlackDex in #4882
• Update crates (GHSA-wq9x-qwcq-mmgf) by @BlackDex in #4889
• Updated security readme by @BlackDex in #4892
• Allow custom umask setting by @BlackDex in #4896
• Allow Org Master-Pw policy enforcement by @BlackDex in #4899
• Allow enforcing Single Org with pw reset policy by @BlackDex in #4903
• Add a CLI feature to backup the SQLite DB by @BlackDex in #4906
• Update web-vault, crates and gha by @BlackDex in #4909
• Add orgUserHasExistingUser parameters to org invite by @Timshel in #4827
• Update Rust version & crates by @dfunkt in #4928
• Fix sync with new native clients by @BlackDex in #4932
• Fix collection update from native client by @BlackDex in #4937
• fix invitation link via /admin by @stefan0xC in #4950
• Fix Pw History null dates by @BlackDex in #4966
• fix 2fa policy check on registration by @stefan0xC in #4956
• Actually use Device Type for mails by @dfunkt in #4916
• remove backtics from postgresql migrations by @stefan0xC in #4968
• Fix Device Type column for 2FA migration by @BlackDex in #4971
• Fix encrypted lastUsedDate by @BlackDex in #4972
• Fix keyword collision in Rust 2024 and add new api/config value by @dani-garcia in #4975
• Add extra linting by @BlackDex in #4977

New Contributors

• @zacknewman made their first contribution in #4885

Full Changelog: 1.32.0...1.32.1

1.32.0

Security Fixes

This release has several CVE Reports fixed and we recommend everybody to update to the latest version as soon as possible.

• CVE-2024-39924 Fixed via #4715
• CVE-2024-39925 Fixed via #4837
• CVE-2024-39926 Fixed via #4737

Other changes

• Updated web-vault to v2024.6.2
• Fixed issues with password reset enrollment by rolling back a web-vault commit

What's Changed

• use a custom plan of enterprise tier to fix limits by @stefan0xC in #4726
• chore: Dockerfile to Remove port 3012 by @calvin-li-developer in #4725
• Fix bug where secureNotes is empty by @cobyge in #4730
• Improved HTTP client by @dani-garcia in #4740
• Update admin interface by @BlackDex in #4737
• Fix for RSA Keys which are read only by @BlackDex in #4744
• Fix Email 2FA login on native app by @BlackDex in #4762
• Update crates & fix crate vulnerability by @dfunkt in #4771
• Fix Dockerfile linter warnings by @dfunkt in #4763
• allow re-invitations of existing users by @stefan0xC in #4768
• Allow to override log level for specific target by @Timshel in #4305
• Add support for MFA with Duo's Universal Prompt by @0x0fbc in #4637
• Allow to increase the note size to 100_000 by @BlackDex in #4772
• Update Rust, Crates and GHA by @BlackDex in #4783
• Duo: use the formatted db email by @Timshel in #4779
• Update rust-toolchain.toml to 1.80.0 by @dfunkt in #4784
• fix issue with adding ciphers to organizations on native ios app by @stefan0xC in #4800
• Rewrite the Push Notifications section in the configuration template by @dfunkt in #4805
• Secure send file uploads by @BlackDex in #4810
• make access_all optional by @stefan0xC in #4812
• Remove lowercase conversion for featureStates by @dfunkt in #4820
• Fix mail::send_incomplete_2fa_login panic issue by @dfunkt in #4792
• Update crates, web-vault and fixes by @BlackDex in #4823
• Updated web-vault to v2024.6.2b by @BlackDex in #4826
• Update Rust to 1.80.1 by @dfunkt in #4831
• Fix data disclosure on organization endpoints by @BlackDex in #4837

New Contributors

• @cobyge made their first contribution in #4730
• @0x0fbc made their first contribution in #4637

Full Changelog: 1.31.0...1.32.0

1.31.0

Major changes and New Features

• Initial support for the beta releases of the new native mobile apps
• Removed support for WebSocket traffic on port 3012, as it's been integrated on the main HTTP port for a few releases
• Updated included web vault to 2024.5.1

General mention

Bitwarden has changed the push API endpoints which affects the EU region endpoint users.
So if you use the push functionality and use the EU region you need to make some changes.
You have to update push.bitwarden.eu to api.bitwarden.eu.
This is also an issue with any previous version of Vaultwarden.

What's Changed

• chore: remove repetitive words by @one230six in #4422
• Fix comment in events.rs by @KrappRamiro in #4408
• Improve JWT RSA key initialization and avoid saving public key by @dani-garcia in #4085
• Remove custom WebSocket code by @BlackDex in #4001
• refactor: replace panic with a graceful exit by @tessus in #4402
• Small improvements around email change by @Timshel in #4415
• Change timestamp data type. by @gzfrozen in #4355
• Fix #3624: fix manager permission within groups by @matlink in #3754
• automatically use email address as 2fa provider by @stefan0xC in #4317
• fix: typos by @testwill in #4440
• Update chrono and sqlite by @BlackDex in #4436
• Update Rust and crates by @BlackDex in #4445
• Use async verify for Yubikey by @dani-garcia in #4448
• update web-vault to v2024.3.1 (new vertical layout) by @stefan0xC in #4468
• Update crates and some Clippy fixes by @BlackDex in #4475
• Update Key Rotation web-vault v2024.3.x by @BlackDex in #4446
• Update Crate and Rust by @BlackDex in #4522
• Implement custom DNS resolver by @dani-garcia in #3988
• Add extra (unsupported) container build arch's by @BlackDex in #4524
• Pass in collection ids to notifier when sharing cipher. by @kristof-mattei in #4517
• improve access to collections via groups by @stefan0xC in #4441
• fix emergency access invites by @stefan0xC in #4337
• Some fixes for the new mobile apps by @dani-garcia in #4526
• Update Rust, crates and web-vault by @BlackDex in #4558
• Improve Commentary Aesthetics by @rich-purnell in #4549
• Optimize Dockerfiles by @dfunkt in #4532
• also delete organization_api_key when deleting organizations by @stefan0xC in #4557
• Fix public api for domains with path prefix by @FDHoho007 in #4500
• Update crates by @BlackDex in #4587
• Fix web-vault version in Docker(files/Settings) by @dfunkt in #4575
• Update Alpine to version 3.20 by @dfunkt in #4583
• differentiate external groups by organization id by @stefan0xC in #4586
• Remove old knowndevice route by @Timshel in #4578
• Update admin interface dependencies by @BlackDex in #4581
• Update rust and remove unused header values by @dani-garcia in #4645
• Update crates, web-vault and GHA by @BlackDex in #4648
• Fix some nightly build errors by @dani-garcia in #4657
• Fix some more nightly errors and remove lint that will become an error by default by @dani-garcia in #4661
• Change API and structs to camelCase by @dani-garcia in #4386
• Fix cipher creation on new android app by @dani-garcia in #4670
• Remove mimalloc workaround by @dfunkt in #4606
• Change some missing PascalCase keys by @dani-garcia in #4671
• Fix collections and native app issue by @BlackDex in #4685
• Fix duplicate folder creations during import by @BlackDex in #4702
• Remove duplicate registry step by @dfunkt in #4703
• add group support for Cipher::get_collections() by @stefan0xC in #4592
• Switch registry cache compression algorithm to zstd by @dfunkt in #4704
• Update crates and web-vault by @BlackDex in #4714
• Some fixes for emergency access by @BlackDex in #4715

New Contributors

• @one230six made their first contribution in #4422
• @KrappRamiro made their first contribution in #4408
• @testwill made their first contribution in #4440
• @kristof-mattei made their first contribution in #4517
• @rich-purnell made their first contribution in #4549
• @dfunkt made their first contribution in #4532
• @FDHoho007 made their first contribution in #4500

Full Changelog: 1.30.5...1.31.0