feat(container): update image vaultwarden/server ( 1.34.3 → 1.35.4 )

[renovate]

This PR contains the following updates:

Package	Update	Change
vaultwarden/server	minor	1.34.3 → 1.35.4

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

dani-garcia/vaultwarden (vaultwarden/server)

v1.35.4

Compare Source

Security Fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.

• GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to access a cipher from a different user (fully encrypted) if they already know its internal UUID.
• GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with manager-level access within an organization to modify collections they can access, even if they do not have management permissions for them.
• GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with manager-level access within an organization to modify collections they are not assigned.

These are private for now, pending CVE assignment.

What's Changed

• Update Rust and Crates and GHA by @​BlackDex in #​6843
• hide remember 2fa token by @​stefan0xC in #​6852
• fix(send_invite): invite links by @​proofofcopilot in #​6824
• Misc organization fixes by @​BlackDex in #​6867

New Contributors

• @​proofofcopilot made their first contribution in #​6824

Full Changelog: dani-garcia/vaultwarden@1.35.3...1.35.4

v1.35.3

Compare Source

Security Fixes

This release contains security fixes for the following advisory. We strongly advice to update as soon as possible if you believe it could affect you.

• GHSA-h265-g7rm-h337 (Publication in process, waiting for CVE assignment)
  This vulnerability would allow an authenticated attacker that is part of an organization to access items from collections to which the attacker does not belong.

What's Changed

• Fix User API Key login by @​BlackDex in #​6712
• use email instead of empty name for webauhn by @​stefan0xC in #​6733
• hide password hints via CSS by @​stefan0xC in #​6726
• fix email as 2fa with auth requests by @​stefan0xC in #​6736
• Update crates, web-vault, js, workflows by @​BlackDex in #​6749
• refactor: improve tooltips in diagnostics page by @​tessus in #​6765
• Empty AccountKeys when no private key by @​Timshel in #​6761
• fix error message for purging auth requests by @​stefan0xC in #​6776
• Misc updates, crates, rust, js, gha, vault by @​BlackDex in #​6799
• Update crates and web-vault by @​BlackDex in #​6810
• Fix org-details issue by @​BlackDex in #​6811

Full Changelog: dani-garcia/vaultwarden@1.35.2...1.35.3

v1.35.2

Compare Source

Notable changes

Fixed an issue with the web-vault which prevent creating an organization.

What's Changed

• update web-vault to fix org creation by @​stefan0xC in #​6646
• return no content with status code 204 by @​stefan0xC in #​6665
• allow MasterPasswordHash for Android by @​stefan0xC in #​6673
• improve sso callback path by @​stefan0xC in #​6676
• Fix web-vault version check and update web-vault by @​BlackDex in #​6686

Full Changelog: dani-garcia/vaultwarden@1.35.1...1.35.2

v1.35.1

Compare Source

Notable changes

• Fixed issue with applications being logged out after upgrading due to changes to refresh token parsing
• Updated web vault to 2025.12.1
• Correctly publish alpine tag, which was missing in 1.35.0

What's Changed

• Update lockfile by @​dani-garcia in #​6600
• Re-add alpine tag by @​dfunkt in #​6626
• Misc updates by @​BlackDex in #​6627
• Try old refresh token if we fail to decode jwt by @​dani-garcia in #​6629

Full Changelog: dani-garcia/vaultwarden@1.35.0...1.35.1

v1.35.0

Compare Source

Notable changes

• Implemented support for SSO with OpenID Connect, https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect
• Updated web vault to 2025.12.0
• Added support for future mobile apps with versions 2026.1.0+
• This is the first vaultwarden release using immutable releases and release attestation!

What's Changed

• Fix multi delete slowdown by @​BlackDex in #​6144
• Perform same checks when setting kdf by @​Timshel in #​6141
• SSO using OpenID Connect by @​Timshel in #​3899
• Delete SSO.md by @​dani-garcia in #​6152
• Update webauthn-rs to 0.5.x by @​zUnixorn in #​5934
• a little cleanup after SSO merge by @​stefan0xC in #​6153
• Fix link to point to the wiki by @​Timshel in #​6157
• Fix Email 2FA for mobile apps by @​dfunkt in #​6156
• Update Rust to 1.89.0 by @​dfunkt in #​6150
• Fix several more multi select push issues by @​BlackDex in #​6151
• Fix minor typo by @​ncguk in #​6165
• Update crates, fixes some yanked crates by @​BlackDex in #​6167
• Fix WebauthN issue with Software Keys by @​BlackDex in #​6168
• Fix Playwright test conf and update deps by @​Timshel in #​6176
• Misc updates by @​BlackDex in #​6185
• fix typo in description of helo_name by @​Flottegurke in #​6194
• Fix Playwright by @​Timshel in #​6206
• Switch to GHA's concurrency control by @​dfunkt in #​6164
• Make database connection pool dynamic by @​Samoth69 in #​6166
• Re-add if check to release workflow by @​dfunkt in #​6227
• Fix Webauthn/Passkey 2FA migration/validation issues by @​BlackDex in #​6190
• refactor(config): update template, add validation by @​tessus in #​6229
• Show SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION in admin by @​Timshel in #​6235
• Update crates, gha and web-vault by @​BlackDex in #​6234
• Fix panic around sso_master_password_policy by @​Timshel in #​6233
• make webauthn more optional by @​stefan0xC in #​6160
• Fix 2fa recovery endpoint by @​BlackDex in #​6240
• update trivy-action to v0.33.0 by @​stefan0xC in #​6248
• update web vault to v2025.9.1 and allow new policy by @​stefan0xC in #​6340
• prevent changing collections when hide_passwords is true by @​stefan0xC in #​6278
• Fix sso_user dropped on User::save by @​Timshel in #​6262
• Change OIDC dummy identifier by @​Timshel in #​6263
• add new billing warnings endpoint by @​stefan0xC in #​6369
• Add auth_request pending endpoint by @​Timshel in #​6368
• Fix Org identifier by @​Timshel in #​6364
• add mail address change warning for invited accounts by @​stefan0xC in #​6377
• add missing media-src directive by @​stefan0xC in #​6381
• add seat limit for the invite dialog by @​stefan0xC in #​6371
• [Playwright] Improvements around node by @​Timshel in #​6321
• Use Diesels MultiConnections Derive by @​BlackDex in #​6279
• Improve protected actions by @​dani-garcia in #​6411
• Fix issue with key-rotation and emergency-access by @​BlackDex in #​6421
• Optimizations and build speedup by @​BlackDex in #​6339
• Use an older version of mariadb to prevent a panic by @​BlackDex in #​6453
• Playwright against abitrary web-vault by @​Timshel in #​6380
• Fix KDF Change with new web-vault by @​BlackDex in #​6458
• Fix: admin theme emoji alignment by @​joepduin in #​6459
• remove invalid emergency access dummy value by @​stefan0xC in #​6463
• Add pm-25373-windows-biometrics-v2 feature flag by @​Ephemera42 in #​6468
• Switch to multiple runners per arch by @​dfunkt in #​6472
• Fix icon redirect caching by @​BlackDex in #​6487
• Fix around singleorg policy by @​Timshel in #​6247
• fix email as 2fa provider by @​stefan0xC in #​6473
• Update crates and Rust version by @​BlackDex in #​6485
• Add option to prefer IPv6 resolving by @​BlackDex in #​6494
• Some small admin js/css updates by @​BlackDex in #​6501
• Update crates and workflows and some fixes by @​BlackDex in #​6508
• Fixed a typo in the default TTL value by @​k725 in #​6528
• Iterate over tags on release by @​Timshel in #​6518
• Org.put_policy type not in body anymore by @​Timshel in #​6514
• Android want response property in camelCase by @​Timshel in #​6513
• Fix admin invite with SSO by @​Timshel in #​6498
• Improve sso auth flow by @​Timshel in #​6205
• fix email as 2fa for sso by @​stefan0xC in #​6495
• Fix release workflow by @​BlackDex in #​6532
• Further fixes for the release workflow by @​dfunkt in #​6533
• add empty /api/tasks endpoint by @​stefan0xC in #​6557
• Revert to gzip compression by @​dfunkt in #​6566
• support UriMatchDefaults policy by @​stefan0xC in #​6570
• Add new accountKeys and masterPasswordUnlock fields by @​dani-garcia in #​6572
• Update crates and Rust by @​BlackDex in #​6551
• Add UserDecryption on /sync too by @​dani-garcia in #​6574
• Update web-vault to v2025.12.0 by @​BlackDex in #​6577
• Fix posting cipher with readonly collections by @​BlackDex in #​6578
• Update crates by @​BlackDex in #​6585
• Simplify binary extraction by @​dfunkt in #​6554
• Remove unnecessary output sharing between jobs by @​dfunkt in #​6555
• Add wrapped named variants to UserDecryptionOptions by @​dani-garcia in #​6598

New Contributors

• @​zUnixorn made their first contribution in #​5934
• @​ncguk made their first contribution in #​6165
• @​Flottegurke made their first contribution in #​6194
• @​Samoth69 made their first contribution in #​6166
• @​joepduin made their first contribution in #​6459
• @​k725 made their first contribution in #​6528

Full Changelog: dani-garcia/vaultwarden@1.34.3...1.35.0

---

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

--- kubernetes/apps/services/vaultwarden/app Kustomization: services/vaultwarden HelmRelease: services/vaultwarden

+++ kubernetes/apps/services/vaultwarden/app Kustomization: services/vaultwarden HelmRelease: services/vaultwarden

@@ -30,13 +30,13 @@

             envFrom:
             - secretRef:
                 name: vaultwarden-secrets
             image:
               pullPolicy: IfNotPresent
               repository: vaultwarden/server
-              tag: 1.34.3@sha256:84fd8a47f58d79a1ad824c27be0a9492750c0fa5216b35c749863093bfa3c3d7
+              tag: 1.35.4@sha256:43498a94b22f9563f2a94b53760ab3e710eefc0d0cac2efda4b12b9eb8690664
         strategy: Recreate
     ingress:
       main:
         annotations:
           error-pages.home.arpa/enabled: 'true'
           external-dns.alpha.kubernetes.io/target: external...PLACEHOLDER_SECRET_DOMAIN..

[github-actions]

--- HelmRelease: services/vaultwarden Deployment: services/vaultwarden

+++ HelmRelease: services/vaultwarden Deployment: services/vaultwarden

@@ -36,13 +36,13 @@

       hostPID: false
       dnsPolicy: ClusterFirst
       containers:
       - envFrom:
         - secretRef:
             name: vaultwarden-secrets
-        image: vaultwarden/server:1.34.3@sha256:84fd8a47f58d79a1ad824c27be0a9492750c0fa5216b35c749863093bfa3c3d7
+        image: vaultwarden/server:1.35.4@sha256:43498a94b22f9563f2a94b53760ab3e710eefc0d0cac2efda4b12b9eb8690664
         imagePullPolicy: IfNotPresent
         name: main
         volumeMounts:
         - mountPath: /data
           name: data
       volumes: