1.27.0

New features

Event logs for organizations

With this feature enabled, actions occurring inside an organization will be recorded in a log, viewable by organization admins and owners. Check the official documentation to learn more: https://bitwarden.com/help/event-logs/ (Note that the Public API is not yet implemented, so the events are only viewable in the Web Vault)

To enable this feature, set ORG_EVENTS_ENABLED=true. By default all events will be stored indefinitely, if you want to limit that, you can use the EVENTS_DAYS_RETAIN option. You can also tune the cleanup schedule with EVENT_CLEANUP_SCHEDULE.

Group support (beta)

Enables the creation and use of groups inside an organization. At the moment this is in beta because there are some known issues (#2989). Still, the more this feature is tested, the faster we will be able to stabilize it.

To enable this feature, set ORG_GROUPS_ENABLED=true, make sure to make proper backups of your instance before hand.

What's Changed

• Group support | applied .diff by @MFijak in #2846
• Add Organizational event logging feature by @BlackDex in #2868
• Updated web vault to 2022.12.0 by @dani-garcia
• Update diesel to 2.0.2 by @dani-garcia in #2724
• Limit Cipher Note encrypted string size by @BlackDex in #2945
• fix invitations of new users when mail is disabled by @stefan0xC in #2773
• attach images in email by @stefan0xC in #2784
• allow registration without invite link by @stefan0xC in #2799
• Fix master password hint update not working. by @BlackDex in #2834
• Sync global_domains.json by @jjlin in #2840
• verify email on registration by invite by @stefan0xC in #2804
• Take ROCKET_ADDRESS into account in the Docker healthcheck by @jjlin in #2844
• Update github workflows by @BlackDex in #2852
• feat: Bump web-vault to v2022.10.1 by @GeekCornerGH in #2859
• Update Rust version, deps and workflow by @BlackDex in #2888
• Add /devices/knowndevice endpoint by @BlackDex in #2893
• fix: removed a double space by @GeekCornerGH in #2894
• Support Org Export for v2022.11 clients by @BlackDex in #2899
• Use constant size generic parameter for random bytes generation by @samueltardieu in #2910
• Update config comment to reflect rfc8314. by @skid9000 in #2911
• Set "Bypass admin page security" as read-only by @BlackDex in #2918
• Fully remove DuckDuckGo email service. by @BlackDex in #2919
• Added missing register endpoint to identity by @BlackDex in #2920
• Prevent DNS leak when icon regex is configured by @BlackDex in #2921
• Update settings description by @karbobc in #2928
• allow managers to set groups of a collection by @stefan0xC in #2933
• Update Vaultwarden Logo's by @BlackDex in #2940
• check if sqlite folder exists by @stefan0xC in #2873
• redirect to admin login page when forward fails by @stefan0xC in #2886
• Cleanups and Fixes for Emergency Access by @BlackDex in #2936
• Update dependencies for Rust and Admin interface. by @BlackDex in #2941
• Fix admin repost warning. by @BlackDex in #2953
• Add dev-only query logging support by @BlackDex in #2954
• Fix managers and groups link by @BlackDex in #2947
• use a custom 404 page by @stefan0xC in #2948
• Increase privacy of masked config by @BlackDex in #2963
• Improve comments by @tessus in #2969
• use black favicon for /admin by @tessus in #2970
• Remove ctrlc crate and some updates by @BlackDex in #2971
• Fix org export (again) by @BlackDex in #2973
• Revert collection queries back to left_join by @BlackDex in #2976
• Fix recover-2fa not working. by @BlackDex in #2994
• Disable groups by default and Some optimizations by @BlackDex in #2995
• Fix a panic during Yubikey register/login by @BlackDex in #3006

New Contributors

• @MFijak made their first contribution in #2846
• @GeekCornerGH made their first contribution in #2859
• @samueltardieu made their first contribution in #2910
• @skid9000 made their first contribution in #2911
• @karbobc made their first contribution in #2928
• @tessus made their first contribution in #2969

Full Changelog: 1.26.0...1.27.0

1.26.0

What's Changed

• Updated web vault to v2022.10.0
• Fix uploads from mobile clients (and dep updates) by @BlackDex in #2675
• Update deps and Alpine image by @BlackDex in #2665
• Add support for send v2 API endpoints by @BlackDex in #2756
• External Links | Optimize behavior by @Fvbor in #2693
• Add Org user revoke feature by @BlackDex in #2698
• Change the handling of login errors. by @BlackDex in #2729
• Added support for web-vault v2022.9 by @BlackDex in #2732
• add not_found catcher for 404 errors by @stefan0xC in #2768
• Fix issue 2737, unable to create org by @BlackDex in #2738
• Rename/Fix revoke/restore endpoints by @BlackDex in #2739
• Update CSP for DuckDuckGo email forwarding by @jjlin in #2812
• check if data folder is a writable directory by @stefan0xC in #2811
• Update build workflow by @BlackDex in #2744
• fix: tooltip typo by @djbrownbear in #2746
• Update libraries and Rust version by @BlackDex in #2758
• Fix organization vault export by @BlackDex in #2765
• allow the removal of non-confirmed owners by @stefan0xC in #2772
• v2022.9.2 expects a json response while registering by @stefan0xC in #2803
• make invitation expiration time configurable by @stefan0xC in #2805
• return more descriptive JWT validation messages by @stefan0xC in #2806
• Add CreationDate to cipher response JSON by @jjlin in #2813
• fix link of license badge by @stefan0xC in #2816

New Contributors

• @Fvbor made their first contribution in #2693
• @djbrownbear made their first contribution in #2746
• @stefan0xC made their first contribution in #2768

Full Changelog: 1.25.2...1.26.0

1.25.2

⚠️ Reminder: If you are still using the bitwardenrs/server* Docker images, you need to migrate to the new vaultwarden image. Check #1642 for an explanation. The old images will not receive any new updates any longer.

Important

An incompatibility between the format in which some Bitwarden clients upload attachments and sends could lead to those uploads being silently corrupted. We believe this is occurring only when using the mobile clients and only on the latest vaultwarden 1.25.1.
To mitigate this issue, we're releasing this quick patch to make any upload that could lead to a corrupted file explicitly return an error, notifying the user of the problem.
We recommend updating as soon as possible, and checking that any recently uploaded attachments can be downloaded and opened correctly (The corrupted uploads will return an error when downloading or download a very small file).

We've also fixed the docker volume check added in 1.25.1, if you previously needed to set I_REALLY_WANT_VOLATILE_STORAGE=true to start the container, please try again without it, and open an issue if it still won't start.

What's Changed

• Fix persistent folder check within containers by @BlackDex in #2631
• Mitigate attachment/send upload issues by @BlackDex in #2650
• Fix issue with CSP and icon redirects by @BlackDex in #2624
• Update build workflow for CI by @BlackDex in #2632

Full Changelog: 1.25.1...1.25.2

1.25.1

⚠️ Reminder: If you are still using the bitwardenrs/server* Docker images, you need to migrate to the new vaultwarden image. Check #1642 for an explanation. The old images will not receive any new updates any longer.

What's Changed

• Updated included web vault to version 2022.6.2 by @dani-garcia
• Sync global_domains.json by @jjlin in #2555
• Add TMP_FOLDER to .env.template by @fox34 in #2489
• Allow FireFox relay in CSP. by @BlackDex in #2565
• Fix hidden ciphers within organizational view. by @BlackDex in #2567
• Add password_hints_allowed config option by @jjlin in #2586
• Fall back to move_copy_to if persist_to fails while saving uploaded files. by @ruifung in #2605
• Swap Websocket crate from ws to tungstenite, which is more maintained, supports async, and removes around 20 old duplicate versions of used crates by @dani-garcia
• Fix armv6 issue with bullseye images by @BlackDex in #2491
• Add a persistent volume check. by @BlackDex in #2501, #2507
• Adding "UserEnabled" and "CreatedAt" member to the json output of a User by @Lowaiz in #2523
• Bump lettre to 0.10.0-rc.7 by @paolobarbolini in #2531
• Small email sending code improvements by @paolobarbolini in #2532
• A little depreciation change by @binlab in #2556
• Fix identicons not always working by @BlackDex in #2571
• Small change in log-level for better debugging by @BlackDex in #2577
• Address inconsistency v{version} with and without a v in the version with most recent updates. by @nneul in #2595
• Bump openssl-src from 111.21.0+1.1.1p to 111.22.0+1.1.1q by @dependabot in #2599
• Add more clippy checks for better code/readability by @BlackDex in #2611
• Update deps, misc fixes and updates, small improvements on favicons and fix file-uploads by @BlackDex in #2543, #2568, #2619

New Contributors

• @fox34 made their first contribution in #2489
• @Lowaiz made their first contribution in #2523
• @binlab made their first contribution in #2556
• @nneul made their first contribution in #2595
• @dependabot made their first contribution in #2599
• @ruifung made their first contribution in #2605

Full Changelog: 1.25.0...1.25.1

1.25.0

⚠️ Reminder: If you are still using the bitwardenrs/server* Docker images, you need to migrate to the new vaultwarden image. Check #1642 for an explanation. The old images will not receive any new updates any longer.

What's Changed

• Updated included web vault to v2.28.1
• Update Rocket to 0.5 and async, and compile on stable by @dani-garcia in #2276
• Update async to prepare for main merge + several updates by @BlackDex in #2292
• Add IP address to missing/invalid password message for Sends by @jaen in #2313
• Add support for custom .env file path by @TinfoilSubmarine in #2315
• Added autofocus to pw field on admin login page by @taylorwmj in #2328
• Update login API code and update crates to fix CVE by @BlackDex in #2354
• Several updates and fixes by @BlackDex in #2379
• disable legacy X-XSS-Protection feature by @Wonderfall in #2380
• Fix building mimalloc on armv6 by @BlackDex in #2397
• Remove u2f implementation by @BlackDex in #2398
• Sync global_domains.json by @jjlin in #2400
• Add /api/{alive,now,version} endpoints by @jjlin in #2433
• Improve sync speed and updated dep. versions by @BlackDex in #2429
• Database connection init by @jjlin in #2440
• Fix upload limits and disable color logs by @BlackDex in #2480
• Update Rust version in Dockerfile by @BlackDex in #2481

New Contributors

• @jaen made their first contribution in #2313
• @TinfoilSubmarine made their first contribution in #2315
• @taylorwmj made their first contribution in #2328
• @Wonderfall made their first contribution in #2380

Full Changelog: 1.24.0...1.25.0

1.24.0

⚠️ Reminder: If you are still using the bitwardenrs/server* Docker images, you need to migrate to the new vaultwarden image. Check #1642 for an explanation. The old images will not receive any new updates any longer.

What's Changed

• Add support for external icon services by @jjlin in #2158
  • Add config option to set the HTTP redirect code for external icons by @jjlin in #2188
  • Add support for legacy HTTP 301/302 redirects for external icons by @jjlin in #2218
• Support all DB's for Alpine and Debian by @BlackDex in #2172
• Add support for API keys by @jjlin in #2245
• Basic ratelimit for user login (including 2FA) and admin login by @dani-garcia in #2165
• Upgrade Feature-Policy to Permissions-Policy by @iamdoubz in #2228
• Set Expires header when caching responses by @RealOrangeOne in #2182
• Increase length limit for email token generation by @jjlin in #2257
• Small changes to icon log messages. by @BlackDex in #2170
• Bump rust version to mitigate CVE-2022-21658 by @dscottboggs in #2255
• Fixed #2151 by @BlackDex in #2169
• Fixed issue #2154 by @BlackDex in #2194
• Fix issue with Bitwarden CLI. by @BlackDex in #2197
• Fix emergency access invites for new users by @BlackDex in #2217
• Sync global_domains.json by @jjlin in #2156
• Sync global_domains.json by @jjlin in #2171

New Contributors

• @iamdoubz made their first contribution in #2228
• @dscottboggs made their first contribution in #2255

Full Changelog: 1.23.1...1.24.0

1.23.1

⚠️ Reminder: If you are still using the bitwardenrs/server* Docker images, you need to migrate to the new vaultwarden image. Check #1642 for an explanation. The old images will not receive any new updates any longer.

What's Changed

• Add email notifications for incomplete 2FA logins by @jjlin in #2067
• Fix conflict resolution logic for read_only and hide_passwords flags by @jjlin in #2073
• Fix missing encrypted key after emergency access reject by @jjlin in #2078
• Fix PostgreSQL migration by @jjlin in #2080
• Macro recursion decrease and other optimizations by @BlackDex in #2084
• Enabled trust-dns and some updates. by @BlackDex in #2125
• Update web vault to 2.25.0

Full Changelog: 1.23.0...1.23.1

1.23.0

⚠️ Reminder: If you are still using the bitwardenrs/server* Docker images, you need to migrate to the new vaultwarden image. Check #1642 for an explanation. The old images are deprecated and will stop being updated after 1.23.0.

• Added emergency access feature
  • Can be disabled setting EMERGENCY_ACCESS_ALLOWED=false
• Added support for single organization policy
• Fixed incorrect webauthn origin
• Enforce personal ownership policy on imports
• Fixed issue using uppercase characters on emails
• Updated web vault to 2.23.0
• Added organization bulk user management actions (reinvite/confirm/delete)
• Removed limmit that disabled sending ciphers with attachments
• Disabled enforcing of two factor organization policy on users that haven't been accepted yet
• Added tzdata to the alpine containers, to be able to set a different timezone to UTC
• Updated icon fetching to make it work on unicode websites
• Docker images are now built using Github Actions, and the base images have been updated
• Added database connection check to /alive endpoint
• Updated dependencies

1.22.2

⚠️ Reminder: If you are still using the bitwardenrs/server* Docker images, you need to migrate to the new vaultwarden image. Check #1642 for an explanation. The old images are deprecated and will stop being updated after 1.23.0.

• Updated web vault to 2.21.1.
• Enforce 2FA policy in organizations.
• Protect send routes against a possible path traversal attack.
• Disable show_password_hint by default, it still can be enabled in the admin panel or with environment variables.
• Disable user verification enforcement in Webauthn, which would make some users unable to login.
• Fix issue that wouldn't correctly delete Webauthn Key.
• Added Edge extension support for Webauthn.

1.22.1

⚠️ Reminder: If you are still using the bitwardenrs/server* Docker images, you need to migrate to the new vaultwarden image. Check #1642 for an explanation. The old images are deprecated and will stop being updated after 1.23.0.

• Fix alpine builds