SSO fallback to UserInfo preferred_username by @Timshel in #7128
Dummy identifier need to pass for a guid by @Timshel in #7154
add new /identity/accounts/prelogin/password by @stefan0xC in #7156
Add DuckDuckGo browser device type by @dfunkt in #7147
Apply duration_suboptimal_units lint findings by @dfunkt in #7144
Apply ref_option lint findings by @dfunkt in #7143
Fix hardcoded sso identifier by @Timshel in #7157
Update crates and fix a nightly lint by @BlackDex in #7161
Fix Host/IP resolving by @BlackDex in #7162
Several SSO Fixes by @BlackDex in #7163
Add support for archiving items by @matt-aaron in #6916
Fix favicon fetching to check all icon links instead of just the first one by @Shocker in #6880
Fix merge conflict by @dani-garcia in #7164
Replace organization_uuid unwrap with proper error handling by @xjohnyknox in #6936
fix: return Err instead of panic on unknown cipher atype in to_json() by @mango766 in #7068
Allow SQLite to be linked against dynamically by @ISSOtm in #7057
Update crates and web-vault by @BlackDex in #7171
Update hickory by @BlackDex in #7175

New Contributors

@matt-aaron made their first contribution in #6916
@Shocker made their first contribution in #6880
@xjohnyknox made their first contribution in #6936
@mango766 made their first contribution in #7068
@ISSOtm made their first contribution in #7057

Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.35.8...1.36.0

You can discuss this release here https://github.com/dani-garcia/vaultwarden/discussions/7177

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [vaultwarden/server](https://github.com/dani-garcia/vaultwarden) | minor | `1.35.8-alpine` → `1.36.0-alpine` | --- ### Release Notes <details> <summary>dani-garcia/vaultwarden (vaultwarden/server)</summary> ### [`v1.36.0`](https://github.com/dani-garcia/vaultwarden/releases/tag/1.36.0) [Compare Source](https://github.com/dani-garcia/vaultwarden/compare/1.35.8...1.36.0) #### Security Fixes This release contains security fixes for the following advisories. We strongly advice to update as soon as possible. - SSO Login CSRF [GHSA-pfp2-jhgq-6hg5](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-pfp2-jhgq-6hg5) [GHSA-w6h6-8r66-hcv7](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-w6h6-8r66-hcv7) - User/Organization Enumeration [GHSA-hxqh-ff5p-wfr3](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-hxqh-ff5p-wfr3) - SSO existing-user binding [GHSA-j4j8-gpvj-7fqr](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-j4j8-gpvj-7fqr) [GHSA-6x5c-84vm-5j56](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-6x5c-84vm-5j56) - SSRF via Icon Endpoint [GHSA-72vh-x5jq-m82g](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-72vh-x5jq-m82g) - Some crate's updated and other minor security enhancements These are private for now, pending CVE assignment. #### Notes - Archiving of items is available <https://bitwarden.com/blog/keep-your-vault-tidy-with-item-archiving/> <https://bitwarden.com/nl-nl/help/managing-items/#archive> - Web Vault updated to v2026.4.1 #### What's Changed - SSO fallback to UserInfo preferred\_username by [@Timshel](https://github.com/Timshel) in [#7128](https://github.com/dani-garcia/vaultwarden/pull/7128) - Dummy identifier need to pass for a guid by [@Timshel](https://github.com/Timshel) in [#7154](https://github.com/dani-garcia/vaultwarden/pull/7154) - add new /identity/accounts/prelogin/password by [@stefan0xC](https://github.com/stefan0xC) in [#7156](https://github.com/dani-garcia/vaultwarden/pull/7156) - Add DuckDuckGo browser device type by [@dfunkt](https://github.com/dfunkt) in [#7147](https://github.com/dani-garcia/vaultwarden/pull/7147) - Apply `duration_suboptimal_units` lint findings by [@dfunkt](https://github.com/dfunkt) in [#7144](https://github.com/dani-garcia/vaultwarden/pull/7144) - Apply `ref_option` lint findings by [@dfunkt](https://github.com/dfunkt) in [#7143](https://github.com/dani-garcia/vaultwarden/pull/7143) - Fix hardcoded sso identifier by [@Timshel](https://github.com/Timshel) in [#7157](https://github.com/dani-garcia/vaultwarden/pull/7157) - Update crates and fix a nightly lint by [@BlackDex](https://github.com/BlackDex) in [#7161](https://github.com/dani-garcia/vaultwarden/pull/7161) - Fix Host/IP resolving by [@BlackDex](https://github.com/BlackDex) in [#7162](https://github.com/dani-garcia/vaultwarden/pull/7162) - Several SSO Fixes by [@BlackDex](https://github.com/BlackDex) in [#7163](https://github.com/dani-garcia/vaultwarden/pull/7163) - Add support for archiving items by [@matt-aaron](https://github.com/matt-aaron) in [#6916](https://github.com/dani-garcia/vaultwarden/pull/6916) - Fix favicon fetching to check all icon links instead of just the first one by [@Shocker](https://github.com/Shocker) in [#6880](https://github.com/dani-garcia/vaultwarden/pull/6880) - Fix merge conflict by [@dani-garcia](https://github.com/dani-garcia) in [#7164](https://github.com/dani-garcia/vaultwarden/pull/7164) - Replace organization\_uuid unwrap with proper error handling by [@xjohnyknox](https://github.com/xjohnyknox) in [#6936](https://github.com/dani-garcia/vaultwarden/pull/6936) - fix: return Err instead of panic on unknown cipher atype in to\_json() by [@mango766](https://github.com/mango766) in [#7068](https://github.com/dani-garcia/vaultwarden/pull/7068) - Allow SQLite to be linked against dynamically by [@ISSOtm](https://github.com/ISSOtm) in [#7057](https://github.com/dani-garcia/vaultwarden/pull/7057) - Update crates and web-vault by [@BlackDex](https://github.com/BlackDex) in [#7171](https://github.com/dani-garcia/vaultwarden/pull/7171) - Update hickory by [@BlackDex](https://github.com/BlackDex) in [#7175](https://github.com/dani-garcia/vaultwarden/pull/7175) #### New Contributors - [@matt-aaron](https://github.com/matt-aaron) made their first contribution in [#6916](https://github.com/dani-garcia/vaultwarden/pull/6916) - [@Shocker](https://github.com/Shocker) made their first contribution in [#6880](https://github.com/dani-garcia/vaultwarden/pull/6880) - [@xjohnyknox](https://github.com/xjohnyknox) made their first contribution in [#6936](https://github.com/dani-garcia/vaultwarden/pull/6936) - [@mango766](https://github.com/mango766) made their first contribution in [#7068](https://github.com/dani-garcia/vaultwarden/pull/7068) - [@ISSOtm](https://github.com/ISSOtm) made their first contribution in [#7057](https://github.com/dani-garcia/vaultwarden/pull/7057) **Full Changelog**: <https://github.com/dani-garcia/vaultwarden/compare/1.35.8...1.36.0> You can discuss this release here <https://github.com/dani-garcia/vaultwarden/discussions/7177> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).

renovate-bot added 1 commit

2026-05-04 02:20:38 +00:00

chore(deps): update vaultwarden/server docker tag to v1.36.0 7f8bd9c31d