1.34.3

Notable changes

This release should fix an issue with MySQL/MariaDB database connections when using the Alpine images.
The alpine build image has reverted to use MariaDB Connector/C v3.4.5 which resolved the issue.

What's Changed

• Update crates to trigger rebuild for mysql issue by @BlackDex in #6111
• fix hiding of signup link by @stefan0xC in #6113

Full Changelog: 1.34.2...1.34.3

1.34.2

Notable changes

• Updated web vault to 2025.7.0
• Included experimental support for S3 file backend using OpenDAL. This currently requires compiling from source with the s3 feature flag, check #5626 for more details.

What's Changed

• fix css to hide login with passkey by @stefan0xC in #5890
• fix css for locked screen by @stefan0xC in #5905
• Abstract persistent files through Apache OpenDAL by @txase in #5626
• Some small admin updates by @BlackDex in #5909
• Fix and improvements to password policies by @Timshel in #5923
• Update Alpine to version 3.22 by @dfunkt in #5938
• make css for login-page position independent by @stefan0xC in #5906
• Minor fixes to copy in .env.template by @nickgrim in #5928
• Update crates and web-vault by @BlackDex in #5955
• allow signup for invited users by @stefan0xC in #5967
• fix account recovery withdrawal by @stefan0xC in #5968
• Fix an issue with yubico keys not validating by @BlackDex in #5991
• Misc Updates and favicon fixes by @BlackDex in #5993
• Update flags version and enable manual error reporting by @dani-garcia in #5994
• Use existing reqwest client for AWS S3 requests by @txase in #5917
• Fix v2025.6.x clients and newer to delete items by @BlackDex in #6004
• chore: fix some minor issues in the comments by @mountdisk in #5998
• fix hiding email as 2fa provider by @stefan0xC in #6026
• Update web-vault and admin resources by @BlackDex in #6044
• improve the usage section of the README by @stefan0xC in #6041
• close unmatched left parenthesis in the README by @stefan0xC in #6046
• Update crates, workflow and issue template by @BlackDex in #6056
• Update release.yml by @dani-garcia in #6057
• fix hash reference in release.yml by @stefan0xC in #6058
• Fix digest SHA extraction step by @dfunkt in #6059
• Hide login form custom fields by @Timshel in #6054
• Adjust issue template by @BlackDex in #6096
• fix: resolve group permission conflicts with multiple groups by @DasCanard in #6017
• Update crates by @BlackDex in #6100
• fix account key rotation by @stefan0xC in #6105

New Contributors

• @txase made their first contribution in #5626
• @nickgrim made their first contribution in #5928
• @mountdisk made their first contribution in #5998
• @DasCanard made their first contribution in #6017

Full Changelog: 1.34.1...1.35.0

1.34.1

What's Changed

• Fix admin diagnostics crash by @BlackDex in #5886

Full Changelog: 1.34.0...1.34.1

1.34.0

Notable changes

• Updated web-vault to v2025.5.0
• Implemented new registration flow with email verification
• Added support for some feature flags (mutual TLS, attachment export, AnonAddy/SimpleLogin self host)

What's Changed

• Update crates & fix CVE-2025-25188 by @dfunkt in #5576
• Fix db issues with Option<> values and upd crates by @BlackDex in #5594
• allow CLI to upload send files with truncated filenames by @stefan0xC in #5618
• Update Rust to 1.85.0 by @dfunkt in #5634
• Use subtle to replace deprecated ring::constant_time::verify_slices_are_equal by @Timshel in #5680
• Add support for mutual-tls feature flag by @bennettmsherman in #5698
• Add AnonAddy/SimpleLogin self host feature flag by @PseudoResonance in #5694
• Implement new registration flow with email verification by @dani-garcia in #5215
• Some fixes for the new web-vault and updates by @BlackDex in #5703
• Update Rust, Crates and other deps by @BlackDex in #5709
• Update deps and web-vault by @BlackDex in #5742
• Fix invited user registration without SMTP by @Timshel in #5712
• Fix mysqlclient-sys building by @BlackDex in #5743
• Really fix building by @BlackDex in #5745
• Update Rust to 1.86.0 by @dfunkt in #5744
• Verify templates in CI by @dani-garcia in #5748
• Add Docker Templates pre-commit check by @BlackDex in #5749
• Fix debian docker building by @BlackDex in #5752
• Updates and general fixes by @BlackDex in #5762
• On member invite and edit access_all is not sent anymore by @Timshel in #5673
• respond with cipher json when deleting attachments by @stefan0xC in #5823
• feat: add feature flag export-attachments by @tessus in #5784
• Fix Yubico toggle by @Timshel in #5833
• Fix minimum Android version for self-host email alias feature flags by @PseudoResonance in #5802
• feat: add ip address in logs when email 2fa token is invalid or not available by @tessus in #5779
• Update Rust, Crates and Web-Vault by @BlackDex in #5860
• Add totp menu feature flag by @moodejb123 in #5850
• Remove Hide Business scss rules by @Timshel in #5855
• Toggle providers using class by @Timshel in #5832
• Remove old client version check by @Timshel in #5874
• web-client now request email 2fa by @Timshel in #5871
• Update admin interface by @BlackDex in #5880
• Sync with Upstream by @BlackDex in #5798

New Contributors

• @bennettmsherman made their first contribution in #5698
• @PseudoResonance made their first contribution in #5694
• @moodejb123 made their first contribution in #5850

Full Changelog: 1.33.2...1.34.0

1.33.2

What's Changed

• Update workflows and enhance security by @BlackDex in #5537
• Update crates & fix CVE-2025-24898 by @dfunkt in #5538
• add bulk-access endpoint for collections by @stefan0xC in #5542
• Fix icon redirect not working on desktop by @BlackDex in #5536
• Show assigned collections on member edit by @BlackDex in #5556

Full Changelog: 1.33.1...1.33.2

1.33.1

General mention

This release has some minor issues fixed like:

• Icon's not working on the Desktop clients
• Invites not always working
• DUO settings not able to configure
• Manager rights
• Mobile client sync issues fixed

What's Changed

• hide already approved (or declined) auth_requests by @stefan0xC in #5467
• let invited members access OrgMemberHeaders by @stefan0xC in #5461
• Make sure the icons are displayed correctly in desktop clients by @WinLinux1028 in #5469
• Fix passwordRevisionDate format by @BlackDex in #5477
• add and use new event types by @stefan0xC in #5482
• Fix Duo Field Names for Web Client by @ratiner in #5491
• Allow all manager to create collections again by @BlackDex in #5488
• Update Rust to 1.84.1 by @dfunkt in #5508

New Contributors

• @WinLinux1028 made their first contribution in #5469
• @ratiner made their first contribution in #5491

Full Changelog: 1.33.0...1.33.1

1.33.0

Security Fixes

This release contains security fixes for the following advisories.
And we strongly advice to update as soon as possible.

• GHSA-f7r5-w49x-gxm3
  This vulnerability is only possible if you do not have an ADMIN_TOKEN configured and open links or pages you should not trust anyway. Ensure you have an ADMIN_TOKEN configured to keep your admin environment save.
• GHSA-h6cc-rc6q-23j4
  This vulnerability is only possible if someone was able to gain access to your Vaultwarden Admin Backend. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email.
• GHSA-j4h8-vch3-f797
  This vulnerability affects all users who have multiple Organizations and users which are able to create a new organization or have admin or owner rights on at least one organization. The attacker does need to know the Organization UUID of the Organization it want's to attack or compromise though.

Notable changes

• Updated web-vault to v2025.1.1
• Added partial manage role support for collections
• Manager role is converted to a Custom role with either Manage All Collections or per collection.
  Admins and Owners probably want to check and verify if the rights are still correct.
• The OCI containers and binaries are signed via GitHub Attestations
  This allows you to verify an OCI image or even the vaultwarden binary located within the OCI image.

These vulnerabilities affects

What's Changed

• Add inline-menu-positioning-improvements feature flag by @Ephemera42 in #5313
• Fix issues when uri match is a string by @BlackDex in #5332
• Add TOTP delete endpoint by @Timshel in #5327
• fix group issue in send_invite by @stefan0xC in #5321
• Update crates and GHA by @BlackDex in #5346
• Refactor the uri match fix and fix ssh-key sync by @BlackDex in #5339
• Add partial role support for manager only using web-vault v2024.12.0 by @BlackDex in #5219
• Fix issue with key-rotate by @BlackDex in #5348
• fix manager role in admin users overview by @stefan0xC in #5359
• Prevent new users/members to be stored in db when invite fails by @BlackDex in #5350
• Update crates and web-vault to v2025.1.0 by @BlackDex in #5368
• Allow building with Rust v1.84.0 or newer by @BlackDex in #5371
• rename membership and adopt newtype pattern by @stefan0xC in #5320
• build: raise msrv (1.83.0) rust toolchain (1.84.0) by @tessus in #5374
• Fix an issue with login with device by @BlackDex in #5379
• refactor: replace static with const for global constants by @Integral-Tech in #5260
• Add Attestations for containers and artifacts by @BlackDex in #5378
• Fix version detection on bake by @BlackDex in #5382
• Simplify container image attestation by @dfunkt in #5387
• improve admin invite by @stefan0xC in #5403
• Add manage role for collections and groups by @BlackDex in #5386
• update web-vault to v2025.1.1 and add /api/devices by @stefan0xC in #5422
• Security fixes by @BlackDex in #5438
• only validate SMTP_FROM if necessary by @stefan0xC in #5442

New Contributors

• @Ephemera42 made their first contribution in #5313
• @Integral-Tech made their first contribution in #5260

Full Changelog: 1.32.7...1.33.0

1.32.7

Security Fixes

This release contains a security fix for the following CVE GHSA-g65h-982x-4m5m.

This vulnerability affects any installations that have the ORG_GROUPS_ENABLED setting enabled, and we urge anyone doing so to update as soon as possible.

What's Changed

• feat: mask _smtp_img_src in support string by @tessus in #5281
• Some refactoring, optimizations and security fixes by @BlackDex in #5291
• Allow adding connect-src entries by @BlackDex in #5293
• Use updated fern instead of patch by @BlackDex in #5298

Full Changelog: 1.32.6...1.32.7

1.32.6

What's Changed

• Fix push not working by @BlackDex in #5214
• Fix editing members which have access-all rights by @BlackDex in #5213
• chore: fix some comments by @chuangjinglu in #5224
• Update Rust and crates by @BlackDex in #5248
• Update Alpine to version 3.21 by @dfunkt in #5256
• Fix another sync issue with native clients by @BlackDex in #5259
• Update crates by @dfunkt in #5268
• Some Backend Admin fixes and updates by @BlackDex in #5272

New Contributors

• @chuangjinglu made their first contribution in #5224

Full Changelog: 1.32.5...1.32.6

1.32.5

Security Fixes

This release further fixed some CVE Reports reported by a third party security auditor and we recommend everybody to update to the latest version as soon as possible. The contents of these reports will be disclosed publicly in the future.

Notable changes

• Added SSH-Key storage support. Currently only usable with Bitwarden Desktop v2024.12.0 and newer.
  You need to enable this feature by adding ssh-key-vault-item,ssh-agent to the EXPERIMENTAL_CLIENT_FEATURE_FLAGS config option. See .env.template

What's Changed

• Fix if logic error by @BlackDex in #5171
• More authrequest fixes by @dani-garcia in #5176
• Add dynamic CSS support by @BlackDex in #4940
• fix hibp username encoding and pw hint check by @BlackDex in #5180
• Remove auth-request deletion by @BlackDex in #5184
• fix password hint check by @stefan0xC in #5189
• don't infer manage permission for groups by @stefan0xC in #5190
• Some more authrequest changes by @dani-garcia in #5188
• Support SSH keys on desktop 2024.12 by @dani-garcia in #5187
• Fix Org Import duplicate collections by @BlackDex in #5200

Full Changelog: 1.32.4...1.32.5