Security fixes
This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.
SSO Login CSRF - GHSA-pfp2-jhgq-6hg5, GHSA-w6h6-8r66-hcv7
User/Organization Enumeration - GHSA-hxqh-ff5p-wfr3
SSO existing-user binding - GHSA-j4j8-gpvj-7fqr
GHSA-6x5c-84vm-5j56
SSRF via Icon Endpoint - GHSA-72vh-x5jq-m82g
Some crate’s updated and other minor security enhancements
These are private for now, pending CVE assignment.
https://github.com/dani-garcia/vaultwarden/releases/tag/1.36.0
Original Reddit discussion: https://www.reddit.com/r/selfhosted/comments/1t2qd26/vaultwarden_1360_patches_vulnerabilities/
Basically, because I feel that Bitwarden built this massive network with layers of security that I just don’t possess, and their track record is very good in that regard. Yes, they have had some breaches, but none that I am aware of where its central user database or encrypted vaults were exposed. The latest was a supply chain incident in April 2026 which was part of a broader supply chain attack affecting Checkmarx, not a direct compromise of Bitwarden’s infrastructure.
They are also a much bigger target, and can’t hide behind obscurity.
So its 6 of one, half a dozen of the other.
Sure, I get that. It’s just two things I don’t selfhost.: Password Managers, and anything financial.