Security Fixes
This release contains security fixes for the following advisories.
And we strongly advice to update as soon as possible.
- GHSA-f7r5-w49x-gxm3
This vulnerability is only possible if you do not have anADMIN_TOKENconfigured and open links or pages you should not trust anyway. Ensure you have anADMIN_TOKENconfigured to keep your admin environment save. - GHSA-h6cc-rc6q-23j4
This vulnerability is only possible if someone was able to gain access to your Vaultwarden Admin Backend. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email. - GHSA-j4h8-vch3-f797
This vulnerability affects all users who have multiple Organizations and users which are able to create a new organization or have admin or owner rights on at least one organization. The attacker does need to know the Organization UUID of the Organization it want's to attack or compromise though.
Notable changes
- Updated web-vault to v2025.1.1
- Added partial manage role support for collections
- Manager role is converted to a Custom role with either Manage All Collections or per collection.
Admins and Owners probably want to check and verify if the rights are still correct. - The OCI containers and binaries are signed via GitHub Attestations
This allows you to verify an OCI image or even thevaultwardenbinary located within the OCI image.
These vulnerabilities affects
What's Changed
- Add
inline-menu-positioning-improvementsfeature flag by @Ephemera42 in #5313 - Fix issues when uri match is a string by @BlackDex in #5332
- Add TOTP delete endpoint by @Timshel in #5327
- fix group issue in send_invite by @stefan0xC in #5321
- Update crates and GHA by @BlackDex in #5346
- Refactor the uri match fix and fix ssh-key sync by @BlackDex in #5339
- Add partial role support for manager only using web-vault v2024.12.0 by @BlackDex in #5219
- Fix issue with key-rotate by @BlackDex in #5348
- fix manager role in admin users overview by @stefan0xC in #5359
- Prevent new users/members to be stored in db when invite fails by @BlackDex in #5350
- Update crates and web-vault to v2025.1.0 by @BlackDex in #5368
- Allow building with Rust v1.84.0 or newer by @BlackDex in #5371
- rename membership and adopt newtype pattern by @stefan0xC in #5320
- build: raise msrv (1.83.0) rust toolchain (1.84.0) by @tessus in #5374
- Fix an issue with login with device by @BlackDex in #5379
- refactor: replace static with const for global constants by @Integral-Tech in #5260
- Add Attestations for containers and artifacts by @BlackDex in #5378
- Fix version detection on bake by @BlackDex in #5382
- Simplify container image attestation by @dfunkt in #5387
- improve admin invite by @stefan0xC in #5403
- Add manage role for collections and groups by @BlackDex in #5386
- update web-vault to v2025.1.1 and add /api/devices by @stefan0xC in #5422
- Security fixes by @BlackDex in #5438
- only validate SMTP_FROM if necessary by @stefan0xC in #5442
New Contributors
- @Ephemera42 made their first contribution in #5313
- @Integral-Tech made their first contribution in #5260
Full Changelog: 1.32.7...1.33.0