Vaultwarden fails to start after update – DB migration error (SSO)

I assume this may be more of Vaultwarden issue than a Cloudron one but I wanted to say the recent image update (https://forum.cloudron.io/topic/2546/vaultwarden-package-updates/79?_=1778039394241) seems to have broken Vaultwarden, requiring me to restore from backup.

May 05 20:47:32 => Exporting env vars expected by Vaultwarden
May 05 20:47:32 => Starting Bitwarden
May 05 20:47:32 /--------------------------------------------------------------------\
May 05 20:47:32 |                        Starting Vaultwarden                        |
May 05 20:47:32 |--------------------------------------------------------------------|
May 05 20:47:32 | This is an *unofficial* Bitwarden implementation, DO NOT use the   |
May 05 20:47:32 | official channels to report bugs/features, regardless of client.   |
May 05 20:47:32 | Send usage/configuration questions or feature requests to:         |
May 05 20:47:32 |   https://github.com/dani-garcia/vaultwarden/discussions or        |
May 05 20:47:32 |   https://vaultwarden.discourse.group/                             |
May 05 20:47:32 | Report suspected bugs/issues in the software itself at:            |
May 05 20:47:32 |   https://github.com/dani-garcia/vaultwarden/issues/new            |
May 05 20:47:32 \--------------------------------------------------------------------/
May 05 20:47:32 2026-05-06T03:47:32Z 
May 05 20:47:32 [INFO] Using saved config from `/app/data/config.json` for configuration.
May 05 20:47:32 2026-05-06T03:47:32Z 
May 05 20:47:32 [2026-05-06 03:47:32.167][panic][ERROR] thread 'main' panicked at 'Error running migrations: QueryError(DieselMigrationName { name: "2026-03-09-005927_add_archives", version: MigrationVersion("20260309005927") }, DatabaseError(Unknown, "Referencing column 'user_uuid' and referenced column 'uuid' in foreign key constraint 'archives_ibfk_1' are incompatible."))': src/db/mod.rs:501
May 05 20:47:32 0: vaultwarden::init_logging::{{closure}}
May 05 20:47:32 1: std::panicking::panic_with_hook
May 05 20:47:32 2: std::panicking::panic_handler::{closure#0}
May 05 20:47:32 3: std::sys::backtrace::__rust_end_short_backtrace::<std::panicking::panic_handler::{closure#0}, !>
May 05 20:47:32 4: __rustc::rust_begin_unwind
May 05 20:47:32 5: core::panicking::panic_fmt
May 05 20:47:32 6: core::result::unwrap_failed
May 05 20:47:32 7: vaultwarden::db::DbPool::from_config
May 05 20:47:32 8: vaultwarden::main::{{closure}}
May 05 20:47:32 9: vaultwarden::main
May 05 20:47:32 10: std::sys::backtrace::__rust_begin_short_backtrace
May 05 20:47:32 11: main
May 05 20:47:32 12: <unknown>
May 05 20:47:32 13: __libc_start_main
May 05 20:47:32 14: _start

Any ideas on this one?

@timconsidine So does Umami but it doesn't seem to work too well, haha. I just installed it last night from the community package that you built and will try that out today on a few sites to compare the data. I really appreciate you putting that together!

Not to distract too much from the original topic, but do you have a Claude Skill or something that you use to help package apps for Cloudron? I just realized a Claude Skill may be super helpful for something like this and maybe it'll help me package some apps myself too which I've avoided since I was never too knowledgable of the full process yet.

@timconsidine oh this is fantastic! I love Umami overall but the main trip up for me is the excessive bot requests that it’s tagging as valid analytics. So many hits (multiplier over expected Canadian visitors for a small local business) from Singapore for example, and it’s all basically Petalbot traffic hitting the client sites with a 100% bounce rate. If I exclude bounce rate (a new feature in the Umami dashboard) then it is much closer to expected traffic data. There’s been a few posts from a few users (including myself) in their GitHub repo but seemingly no desire to fix it. ‍️

Because of that, I’d definitely be interested in Rybbit analytics on Cloudron. Happy to beta test the community package if that helps.

@jadudm Agreed. But isn’t that something configurable in the package? Looks like it isn’t a user-facing setting, but I assume this can be taken care of in the code part of the package? I’m not super familiar with packing apps just yet so correct me if I’m wrong.

Probably worth setting the client max body size to 0 for unlimited since there will be all sorts of sizes to an app that’s used for backups. I’m just surprised nobody else has run into this issue, it happens immediately upon backup.

@timconsidine hi Tim,

I tried to use the community app but I get a 413 response code (which suggests the payload is too large). It happens at the very first backup attempt.

Any suggestions? Is there anything I may have missed, or anything you had to do after deploying the app? Did you ever run into the 413?

I’m using tarball and encryption in case that matters at all.

I haven’t used Garage yet but isn’t it just another s3? So it’d basically be a MinIO replacement, right? Do we have any other options for ones with “hardlinks” using rsync? I kind of think the Surfer app would honestly be a great way to use as a backup somehow if it could be used to expose a disk.

I am in a similar position. I currently use iDrive e2 for backups and it’s fine but it does take around 1.5 hours uploading tarballs from my server. I’m looking at possibly deploying a low-budget Kimsufi server in the same OVH data centre and just mounting that disk as SSHFS to Cloudron on my primary server, haven’t tried it out yet. If I go this way I will likely still keep iDrive as a second backup destination and just run it a little less frequently and with lower retention to save on costs a little bit there.

I’m wondering about MinIO alternatives as I tried MinIO on a second Cloudron install but it seemed to take even longer than uploading to iDrive e2 somehow (I expected it’d be quicker not slower). It seemed the project is dead too but then it also looks like there’s an active fork that maybe the Cloudron @staff can look into using instead. Brings back many of the lost MinIO features by the sounds of it too.

Thinking of other avenues to keep backups more “local” or as close to local as possible for rapid quick backups, and then completely offsite as a second backup plan too.

I have around 65 GB compressed to back up, around 125 GB uncompressed, I believe.

@girish , is this perhaps something we can consider adding in one of the next updates? This would be greatly beneficial to be able to specify the IP address for outbound traffic in Cloudron (at least for the mail container but maybe all containers in one setting might be better for some people, not too sure what the best approach is).

I found a couple of other related topics so it seems like there is a need for this. I think my solution should still work but likely just needs to be adapted by Cloudron to be more built-in with a GUI to set the outbound traffic IP (or maybe just have it default to the IP set in the Network page by default as I suspect the DNS record IP would be the same IP outbound traffic would be desired).

Other related topics I found:

• https://forum.cloudron.io/post/108717 (Haraka config for controlling outbound SMTP interface)
• https://forum.cloudron.io/post/81114 (SMTP using wrong IP address on interface with multiple addresses) (admittedly this one is a post I made myself before, lol)

In Cloudron 9.1.5 on the Event Log page, there is an issue with the Time column overlapping with the Source column, per the screenshot below:

I thought this was fixed previously or reported previously but I couldn't seem to find this report yet (forgive me if this is a duplicate).

In the browser, I did something like this to fix it, hopefully this can be included in the next patch:

Instead of <th data-v-cbe2d74a="" style="width: 160px;">Time</th>, I changed the width to 190px like this: <th data-v-cbe2d74a="" style="width: 190px;">Time</th> which seemed to resolve it per the screenshot below:

There's probably some different values that might work better, but that should at least resolve the issue where they overlap.

This was observed using Safari on macOS (26.4) by the way on a widescreen monitor, in case that helps too.

Personally, I also liked the view if I changed the following from 15% to 10% (<th data-v-cbe2d74a="" style="width: 10%;">Source</th>) as it brought in the Details column so more details could be seen in a single line (not sure if this will work on mobile or tablets though). Just seemed like there was a ton of white space between Source and Description columns to me. Maybe a minor improvement that can be made at the same time.

Hi all,

I've run into what appears to be a bug in the WordPress app where editing AVIF images results in a 0 KB file being written — essentially a blank/corrupt output. Uploading AVIF files works fine, and cropping WebP images works as expected, but any edit operation on an AVIF file fails silently with no error shown to the user other than the display showing a missing image.

Steps to Reproduce

1. In WordPress, go to Media Library and upload an AVIF image
2. Open the image and click "Edit Image"
3. Perform any crop operation and save
4. The resulting file is 0 KB and fails to load — the new image is effectively corrupt

This also affects setting a site favicon when the source file is AVIF (since it usually requires an image crop).

Environment

• Cloudron-managed WordPress
• Active image editor: WP_Image_Editor_Imagick
• ImageMagick version: 6.9.12-98 (Q16, x86_64)
• Imagick PHP extension: 3.7.0
• ImageMagick supported formats: (list too long, see screenshot at bottom of post)
• GD version: 2.3.3 (no AVIF support compiled in)
• GD supported formats: GIF, JPEG, PNG, WebP, BMP, XPM (no AVIF)

Screenshot included at bottom of post for whole Media Handling section of WordPress Site Health.

Suspected Cause

While ImageMagick 6.9 lists AVIF in its supported formats, reliable AVIF encode/write support appears to have been incomplete in the IM6 branch — the failure seems to occur at the re-encode step after editing. GD 2.3.3 is present but was compiled without libavif/libaom support, so there's no fallback path available either.

It's worth noting that IM6 is in maintenance mode — the version currently in the WordPress app (6.9.12-98, from 2023) isn't even the latest IM6 release, which is 6.9.13-38 as of January 19th (per https://imagemagick.org/archive/releases/). Whether the issue lies specifically in the ImageMagick version, the PHP Imagick extension, or the underlying libavif/libaom libraries not being compiled in, I'm not certain — happy to dig into this further if the team has ideas.

Possible Fix

Updating to ImageMagick 7.1.x in the WordPress app Docker image may resolve this. I appreciate IM7 isn't in the standard Ubuntu apt repos and would likely require compiling from source — so this isn't a trivial ask. That said, IM6 is effectively in legacy mode at this point, and IM7 brings broader improvements beyond AVIF support. As AVIF becomes increasingly common on the web, this is likely to affect more WordPress users on Cloudron over time.

If there's a different suspected cause or a simpler fix (aside from not using AVIF, lol), I'd be very open to exploring that too. Happy to provide any additional diagnostics if anything else is needed.

Thanks for looking into this!

in case it helps, here is an image of what is displayed in WordPress Media Library after cropping an AVIF file in it:


Media Handling screenshot from Site Health:

@girish , maybe this is a good feature for 9.1?

@girish I see it now, that’s great, thank you!

@imc67 I checked just a bit ago but didn’t actually see any update to the Developer one yet. Maybe I checked too early. Hopefully we see it soon so we can update the plugin.

Looks like just a short bit ago version 3.11.3 is out now.

https://github.com/oidc-wp/openid-connect-generic/issues/633#issuecomment-3894814402

I've released 3.11.3 which provides a setting for the issuer url. This seems like the the most reliable way to ensure each site can adjust depending on their IDP.

That's fantastic, thank you @girish!

@ccfu I tried in double-quotes but there was no difference, still throws the same error. Single-quotes too.

I noticed that when I try to set an email display name for a Cloudron app like WordPress that it won't allow values with commas in it. I'm trying to set the legal business name, but for some reason this is not working. The error I see in the user interface is mailbox display name is not valid. Interesting it accepts the ampersand (&), but not the comma (,) characters.

Is this intended behaviour though? It seems like a defect to me because I can't imagine why commas are not valid "From Display Name" characters, but wanted to double-check. To my knowledge, commas are allowed in an email "From Name".

I think Cloudron needs this database software for a few apps too that are in the Wishlist, such as Rybbit, Plausible, Dub, and more.

• Main Page: https://rybbit.com
• Git: https://github.com/rybbit-io/rybbit
• Licence: AGPL-3.0 license
• Dockerfile: Yes
• Demo: https://demo.rybbit.com/
• Documentation for Self-hosting: https://rybbit.com/docs/self-hosting

---

• Summary: Privacy-first, cookieless Google Analytics replacement that's lightweight and GDPR/CCPA compliant by default. Features include real-time analytics, session replay, conversion funnels, user journey tracking, web vitals monitoring, and built-in bot detection. Self-hostable with a modern, intuitive dashboard that works seamlessly across all devices.

---

• Notes: Lots of great features, including a session replay which I think is really cool, along with the ability to view PageSpeed Web Vitals details on every page. IMO, it seems much more detailed than Umami without being overwhelming (balances a really nice UI and small analytics script file size like Umami), while still having a mature feature-set like Matomo. It also has a Umami data importer for easy transfer too. It also (and almost most importantly to me) looks really good on mobile devices when viewing data statistics, whereas Umami is a bit underwhelming in that department for users who like to view statistics while on the go.

---

• Alternative to / Libhunt link: https://selfhosted.libhunt.com/rybbit-alternatives
• Screenshots:
  
  

@marcusquinn said in Sharing custom SpamAssassin Rules:

Nice, so which would you recommend?

For the Cloudron DNSBL list? I personally am using Spamhaus and Abusix's Exploit list to completely reject only the most obvious of spam, leaving the rest to be filtered via SpamAssassin to the inbox or junk folder.

zen.spamhaus.org
{API_KEY}.exploit.mail.abusix.zone