deddit.petersanchez.com

Vaultwarden 1.36.0 patches vulnerabilities (github.com)
from sanitation@lemmy.radio to selfhosted@lemmy.world on 03 May 21:40
https://lemmy.radio/post/13138281

Security fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.

SSO Login CSRF - GHSA-pfp2-jhgq-6hg5, GHSA-w6h6-8r66-hcv7
User/Organization Enumeration - GHSA-hxqh-ff5p-wfr3
SSO existing-user binding - GHSA-j4j8-gpvj-7fqr
GHSA-6x5c-84vm-5j56
SSRF via Icon Endpoint - GHSA-72vh-x5jq-m82g
Some crate’s updated and other minor security enhancements

These are private for now, pending CVE assignment.

github.com/dani-garcia/vaultwarden/…/1.36.0

Original Reddit discussion: reddit.com/…/vaultwarden_1360_patches_vulnerabili…

#selfhosted

threaded - newest

Natanox@discuss.tchncs.de on 04 May 01:04 next collapse

Uugh, why do I see this at 3 in the morning. Good thing there’s Termux.

irmadlad@lemmy.world on 04 May 01:50 next collapse

Ooof! I think I have a pretty robust network security deployment. I’m just not convinced 100%, and therefor I am prohibited from deploying any self hosted password manager. Too risky. I know there are 1000s of people who, and kudos to you for being able to sleep at night. Your security must rival the SCIFs.

CameronDev@programming.dev on 04 May 02:59 collapse

What makes you think self hosted password managers are any riskier than a cloud hosted one?

immobile7801@piefed.social on 04 May 03:25 next collapse

Yeah, mines not even exposed to the internet. I’d consider that more secure than cloud based bitwarden.

irmadlad@lemmy.world on 04 May 12:13 collapse

Basically, because I feel that Bitwarden built this massive network with layers of security that I just don’t possess, and their track record is very good in that regard. Yes, they have had some breaches, but none that I am aware of where its central user database or encrypted vaults were exposed. The latest was a supply chain incident in April 2026 which was part of a broader supply chain attack affecting Checkmarx, not a direct compromise of Bitwarden’s infrastructure.

excess0680@lemmy.world on 04 May 07:49 collapse

Separate from the security fixes, Vaultwarden now lets clients have archiving capabilities. Before this update, I created a separate organization just to archive unused accounts. (Although now I have to deal with “moving” those accounts back to my main collection…)