[1.25.0]
Update vaultwarden to 1.36.0
Full Changelog
SSO Login CSRF GHSA-pfp2-jhgq-6hg5 GHSA-w6h6-8r66-hcv7
User/Organization Enumeration GHSA-hxqh-ff5p-wfr3
SSO existing-user binding GHSA-j4j8-gpvj-7fqr GHSA-6x5c-84vm-5j56
SSRF via Icon Endpoint GHSA-72vh-x5jq-m82g
Archiving of items is available https://bitwarden.com/blog/keep-your-vault-tidy-with-item-archiving/ https://bitwarden.com/nl-nl/help/managing-items/#archive
Web Vault updated to v2026.4.1
SSO fallback to UserInfo preferred_username by @Timshel in #7128
Add support for archiving items by @matt-aaron in #6916
Fix favicon fetching to check all icon links instead of just the first one by @Shocker in #6880
fix: return Err instead of panic on unknown cipher atype in to_json() by @mango766 in #7068
@james said:
Please follow these steps if you have this issue:
Can this script be run on the working version I reverted to, or do I need to update to the broken version and then run it?
Edit: yes, it seems fixing the db and then updating also works fine.
James, I found the solution. I forget to add {} before and after the variable, that makes my config.json error. Now, it's solved.
{
"signups_allowed": false,
"invitations_allowed": true,
}
Yes, it is set to false.
Maybe I was tricked because I had one Domain whitelisted. I don't remember if the "Register"-Link was always there. Would love to hide it.
It seems, that the disabled registration does work. Sorry for alerting...
By the way, Vaultwarden itself is fine with assets living elsewhere. You can use surfer to host for example logo files and then drop the link in the user.vaultwarden.scss.hbs file.
@jdaviescoates the comment in the package says there are some values that can only be set in env . But I cannot find what they are . AFAICT, it is safe to empty it out.
@necrevistonnezr my installation is quite old - that's correct. Thanks for checking in!
@girish , thank you for the doc's reference! Guess it might make sense to stress that during the installation, as well as an offer to increase KDF up to 2 mln (as per Bitwarden docs as well).
@necrevistonnezr Thank you for providing this information. It is really nice to know that although I am not a German taxpayer they are watching my back as well. Much appreciated. @joseph And as usual, Cloudron team is on the ball patching quickly so any exposure is minimized. Well done!
