Bump 1.36.0

[CameronMunroe]

1.36.0

Repository: dani-garcia/vaultwarden · Tag: 1.36.0 · Commit: f21a3ad · Released by: BlackDex

Security Fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.

SSO Login CSRF
GHSA-pfp2-jhgq-6hg5
GHSA-w6h6-8r66-hcv7
User/Organization Enumeration
GHSA-hxqh-ff5p-wfr3
SSO existing-user binding
GHSA-j4j8-gpvj-7fqr
GHSA-6x5c-84vm-5j56
SSRF via Icon Endpoint
GHSA-72vh-x5jq-m82g
Some crate's updated and other minor security enhancements
These are private for now, pending CVE assignment.

Notes

Archiving of items is available
https://bitwarden.com/blog/keep-your-vault-tidy-with-item-archiving/
https://bitwarden.com/nl-nl/help/managing-items/#archive
Web Vault updated to v2026.4.1
What's Changed

SSO fallback to UserInfo preferred_username by @Timshel in dani-garcia/vaultwarden#7128
Dummy identifier need to pass for a guid by @Timshel in dani-garcia/vaultwarden#7154
add new /identity/accounts/prelogin/password by @stefan0xC in dani-garcia/vaultwarden#7156
Add DuckDuckGo browser device type by @dfunkt in dani-garcia/vaultwarden#7147
Apply duration_suboptimal_units lint findings by @dfunkt in dani-garcia/vaultwarden#7144
Apply ref_option lint findings by @dfunkt in dani-garcia/vaultwarden#7143
Fix hardcoded sso identifier by @Timshel in dani-garcia/vaultwarden#7157
Update crates and fix a nightly lint by @BlackDex in dani-garcia/vaultwarden#7161
Fix Host/IP resolving by @BlackDex in dani-garcia/vaultwarden#7162
Several SSO Fixes by @BlackDex in dani-garcia/vaultwarden#7163
Add support for archiving items by @matt-aaron in dani-garcia/vaultwarden#6916
Fix favicon fetching to check all icon links instead of just the first one by @Shocker in dani-garcia/vaultwarden#6880
Fix merge conflict by @dani-garcia in dani-garcia/vaultwarden#7164
Replace organization_uuid unwrap with proper error handling by @xjohnyknox in dani-garcia/vaultwarden#6936
fix: return Err instead of panic on unknown cipher atype in to_json() by @mango766 in dani-garcia/vaultwarden#7068
Allow SQLite to be linked against dynamically by @ISSOtm in dani-garcia/vaultwarden#7057
Update crates and web-vault by @BlackDex in dani-garcia/vaultwarden#7171
Update hickory by @BlackDex in dani-garcia/vaultwarden#7175
New Contributors

@matt-aaron made their first contribution in dani-garcia/vaultwarden#6916
@Shocker made their first contribution in dani-garcia/vaultwarden#6880
@xjohnyknox made their first contribution in dani-garcia/vaultwarden#6936
@mango766 made their first contribution in dani-garcia/vaultwarden#7068
@ISSOtm made their first contribution in dani-garcia/vaultwarden#7057
Full Changelog: dani-garcia/vaultwarden@1.35.8...1.36.0

—
This release has 2 assets:

Source code (zip)
Source code (tar.gz)
Visit the release page to download them.