• v1.36.3 d257ffa8c4

    Vaultwarden-Plus v1.36.3
    All checks were successful
    auto-image-build / docker-build (push) Successful in 21m30s
    ci / rust-checks (push) Successful in 2m47s
    validate-publish-surface / validate-publish-surface (push) Successful in 4s
    Stable

    StefanSA released this 2026-07-03 09:58:59 +02:00 | 2 commits to main since this release

    Vaultwarden-Plus v1.36.3

    Stable release date: 2026-07-03

    This release promotes the manually validated Organization Account Recovery feature into the public release line while keeping the bundled Web Vault intentionally pinned to 2026.4.1.

    Highlights

    • Organization Account Recovery server implementation is available for enrolled organization members.
    • Web Vault 2026.4.1 integration is validated through the Admin Console recovery flow.
    • Admin Recover Account uses PUT /organizations/{orgId}/users/{memberId}/recover-account.
    • Affected members complete the forced password-reset flow through PUT /accounts/update-temp-password.
    • Legacy password payloads with newMasterPasswordHash and key remain supported.
    • V2 password payloads with authenticationData and unlockData remain supported.
    • 2FA-only recovery requests remain supported through resetTwoFactor=true.
    • The Web Vault adapter now handles legacy /reset-password rewrites, direct /recover-account requests, and fetch(Request) body cloning.

    Security

    • Zero-knowledge constraints remain unchanged: the server does not store plaintext master passwords, plaintext vault keys, plaintext organization private keys, passkey PRF secrets, trusted-device key material, or decrypted vault contents.
    • Recovery requires organization policy support, enrolled recovery material, authorization, and valid recovery payloads.
    • Credential mutation remains fail-closed when the recovery request is malformed or no recovery action is requested.
    • Recovery material, tokens, passwords, encrypted keys, and mail action links must not be logged or committed.

    Compatibility

    • Web Vault intentionally remains on version 2026.4.1.
    • The adapter preserves compatibility with older Web Vault calls that still use /reset-password.
    • The adapter supports current Web Vault 2026.4.1 direct /recover-account calls and request-body handling.
    • Official client compatibility remains the primary release constraint.
    • Remaining non-core differences are still tracked separately:
      • provider-specific behavior
      • custom role permissions
      • Key Connector handling

    Operator Improvements

    • Release image is published as:
      • forgejo.sabolowitsch.org/stefansa/vaultwarden-plus:1.36.3
      • forgejo.sabolowitsch.org/stefansa/vaultwarden-plus:latest
      • forgejo.sabolowitsch.org/stefansa/vaultwarden-plus:<short-sha>
    • Release artifacts:
      • vaultwarden-plus-1.36.3.tar.gz
      • vaultwarden-plus-1.36.3.tar.gz.sha256
    • No database migration or configuration migration is required.
    • SMTP, sendmail, or SES must be configured for recovery notification mail.

    Validation

    • Manual end-to-end validation completed on an isolated local stack with Vaultwarden-Plus, SQLite, and Maildev.
    • Validated:
      • Web Vault loads.
      • Account Recovery policy and enrollment make the Recover Account menu visible.
      • Admin Recover Account completes successfully.
      • Member login enters forced password-reset state.
      • PUT /accounts/update-temp-password completes recovery.
      • Web Vault 2026.4.1 adapter injection works for the observed request path.

    Documentation

    • README.md
    • CHANGELOG.md
    • docs/CHANGELOG.md
    • docs/PROJECT_STATE.md
    • docs/PRODUCT.md
    • docs/MAINTAINER_GUIDE.md
    • docs/upstream/FEATURE_MATRIX.md
    • docs/upstream/UPSTREAM_ISSUE_TRACKER.md
    • docs/releases/2026-07-v1.36.3/RELEASE_NOTES.md

    Deferred

    • Provider-specific account recovery behavior.
    • Custom role manageResetPassword parity.
    • Key Connector account recovery behavior.
    • Web Vault upgrades beyond 2026.4.1 until an accepted upstream artifact is available and separately validated.
    Downloads