Security fixes
This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.
SSO Login CSRF - GHSA-pfp2-jhgq-6hg5, GHSA-w6h6-8r66-hcv7
User/Organization Enumeration - GHSA-hxqh-ff5p-wfr3
SSO existing-user binding - GHSA-j4j8-gpvj-7fqr
GHSA-6x5c-84vm-5j56
SSRF via Icon Endpoint - GHSA-72vh-x5jq-m82g
Some crate’s updated and other minor security enhancements
These are private for now, pending CVE assignment.
https://github.com/dani-garcia/vaultwarden/releases/tag/1.36.0
Original Reddit discussion: https://www.reddit.com/r/selfhosted/comments/1t2qd26/vaultwarden_1360_patches_vulnerabilities/
Uugh, why do I see this at 3 in the morning. Good thing there’s Termux.
Separate from the security fixes, Vaultwarden now lets clients have archiving capabilities. Before this update, I created a separate organization just to archive unused accounts. (Although now I have to deal with “moving” those accounts back to my main collection…)
Ooof! I think I have a pretty robust network security deployment. I’m just not convinced 100%, and therefor I am prohibited from deploying any self hosted password manager. Too risky. I know there are 1000s of people who, and kudos to you for being able to sleep at night. Your security must rival the SCIFs.
What makes you think self hosted password managers are any riskier than a cloud hosted one?
I’m in the camp that believes I’m not that interesting of a target, Bitwarden is a much better target than my Vaultwarden instance. Do I believe that makes me invisible to attackers, nope; if someone is targeting you, relying on an external company doesn’t protect you, it just shifts the risks to them on paper.
Plus, if some is genuinely out to get you, they won’t waste time finding a vaultwarden zeroday, they’ll just bust out the wrenches…
That’s getting to be an old reference but still 100% accurate!
Basically, because I feel that Bitwarden built this massive network with layers of security that I just don’t possess, and their track record is very good in that regard. Yes, they have had some breaches, but none that I am aware of where its central user database or encrypted vaults were exposed. The latest was a supply chain incident in April 2026 which was part of a broader supply chain attack affecting Checkmarx, not a direct compromise of Bitwarden’s infrastructure.
They are also a much bigger target, and can’t hide behind obscurity.
So its 6 of one, half a dozen of the other.
Sure, I get that. It’s just two things I don’t selfhost.: Password Managers, and anything financial.
Yeah, mines not even exposed to the internet. I’d consider that more secure than cloud based bitwarden.
