-
Vaultwarden-Plus v1.36.3
Stablereleased this
2026-07-03 09:58:59 +02:00 | 2 commits to main since this releaseVaultwarden-Plus v1.36.3
Stable release date: 2026-07-03
This release promotes the manually validated Organization Account Recovery feature into the public release line while keeping the bundled Web Vault intentionally pinned to 2026.4.1.
Highlights
- Organization Account Recovery server implementation is available for enrolled organization members.
- Web Vault 2026.4.1 integration is validated through the Admin Console recovery flow.
- Admin Recover Account uses
PUT /organizations/{orgId}/users/{memberId}/recover-account. - Affected members complete the forced password-reset flow through
PUT /accounts/update-temp-password. - Legacy password payloads with
newMasterPasswordHashandkeyremain supported. - V2 password payloads with
authenticationDataandunlockDataremain supported. - 2FA-only recovery requests remain supported through
resetTwoFactor=true. - The Web Vault adapter now handles legacy
/reset-passwordrewrites, direct/recover-accountrequests, andfetch(Request)body cloning.
Security
- Zero-knowledge constraints remain unchanged: the server does not store plaintext master passwords, plaintext vault keys, plaintext organization private keys, passkey PRF secrets, trusted-device key material, or decrypted vault contents.
- Recovery requires organization policy support, enrolled recovery material, authorization, and valid recovery payloads.
- Credential mutation remains fail-closed when the recovery request is malformed or no recovery action is requested.
- Recovery material, tokens, passwords, encrypted keys, and mail action links must not be logged or committed.
Compatibility
- Web Vault intentionally remains on version 2026.4.1.
- The adapter preserves compatibility with older Web Vault calls that still use
/reset-password. - The adapter supports current Web Vault 2026.4.1 direct
/recover-accountcalls and request-body handling. - Official client compatibility remains the primary release constraint.
- Remaining non-core differences are still tracked separately:
- provider-specific behavior
- custom role permissions
- Key Connector handling
Operator Improvements
- Release image is published as:
forgejo.sabolowitsch.org/stefansa/vaultwarden-plus:1.36.3forgejo.sabolowitsch.org/stefansa/vaultwarden-plus:latestforgejo.sabolowitsch.org/stefansa/vaultwarden-plus:<short-sha>
- Release artifacts:
vaultwarden-plus-1.36.3.tar.gzvaultwarden-plus-1.36.3.tar.gz.sha256
- No database migration or configuration migration is required.
- SMTP, sendmail, or SES must be configured for recovery notification mail.
Validation
- Manual end-to-end validation completed on an isolated local stack with Vaultwarden-Plus, SQLite, and Maildev.
- Validated:
- Web Vault loads.
- Account Recovery policy and enrollment make the Recover Account menu visible.
- Admin Recover Account completes successfully.
- Member login enters forced password-reset state.
PUT /accounts/update-temp-passwordcompletes recovery.- Web Vault 2026.4.1 adapter injection works for the observed request path.
Documentation
README.mdCHANGELOG.mddocs/CHANGELOG.mddocs/PROJECT_STATE.mddocs/PRODUCT.mddocs/MAINTAINER_GUIDE.mddocs/upstream/FEATURE_MATRIX.mddocs/upstream/UPSTREAM_ISSUE_TRACKER.mddocs/releases/2026-07-v1.36.3/RELEASE_NOTES.md
Deferred
- Provider-specific account recovery behavior.
- Custom role
manageResetPasswordparity. - Key Connector account recovery behavior.
- Web Vault upgrades beyond 2026.4.1 until an accepted upstream artifact is available and separately validated.
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads