Update bitwarden

This MR contains the following updates:

Package	Update	Change
bitwarden/clients	patch	2026.4.1 → 2026.4.2
bitwarden/server	patch	2026.4.0 → 2026.4.1

---

Release Notes

bitwarden/clients (bitwarden/clients)

v2026.4.2: Web v2026.4.2

Compare Source

Overview

• Added event logs for phishing blocker
• Refactor unlock service to use Bitwarden SDK
• Updated account recovery to include managing member two-step login methods
• Updates to prevent losing unsaved changes when creating a Send
• Updated default clipboard clearing time to 5 minutes
• Various under-the-hood improvements and minor bug fixes

What's Changed

:shipit: Feature Development

• [PM-8458] Change ClearClipboardDelay to strings and change default by @​bensbits91 in #​17756
• [CL-966] Updated Progress Component by @​lxiong-livefront in #​19072
• [PM-28167] Desktop - migrate vault drawers UI to shared lib by @​iivins-livefront in #​19341
• [PM-30584] Add unlock for key connector with SDK by @​quexten in #​19367
• [PM-31778] Multi-step policy edit dialog by @​JaredScar in #​19406
• [PM-31438] Send unsaved edits dialog by @​mcamirault in #​19425
• [CL-1110] Migrate tools CTAs to new icon API by @​BryanCunningham in #​19485
• [PM-26713] Refactor Attachment Uploads to use XMLHTTPRequest by @​nick-livefront in #​19634
• [PM-29927] update reseller notifications by @​kdenney in #​19690
• Auth/Innovation/PM-4659 - Device Management - Add Last Activity Date by @​JaredSnider-Bitwarden in #​19784
• [PM-31901] Remove m3 flagged logic by @​connerbw in #​19868
• [PM-31906] Remove m3 flag definition by @​connerbw in #​19870
• [PM-15489] 2fa account recovery by @​kspearrin in #​19894
• [PM-31942] Handle load/save Access Intelligence reports as files (pt. 1) by @​lastbestdev in #​19922
• [Shared Unlock] [PM-34073] Implement vault timeout supression by @​quexten in #​19934
• [PM-34119] Web New Item Dialog by @​nick-livefront in #​19953
• Add PM-34500-strict-cipher-decryption feature flag by @​nikwithak in #​19973
• [PM-31119] Run side-effects in sdk unlock service by @​quexten in #​20004
• [PM-34230] Blumira Integration using HEC by @​voommen-livefront in #​20008
• [PM-26383] Remove feature flag to enable autoconfirm by @​JaredScar in #​20015
• [PM-34690] - add quick actions feature flag by @​jaasen-livefront in #​20019
• [PM-31875] Client changes for async sdk client get/set by @​Hinton in #​20032
• [PM-34177] Add feature flag for Organization Invite Links by @​r-tome in #​20033
• [PM-34177] Fix feature flag key value for Organization Invite Links by @​r-tome in #​20039
• [PM-24927] Add payment optional support to trial initiation flow and Remove payment-optional feature flag by @​cyprain-okeke in #​20053
• [PM-34037] New event log for 2fa recovery by @​kspearrin in #​20055
• [PM-31270] New default argon2id in change kdf component by @​mzieniukbw in #​20058
• [PM-34396] Create dialog structure for new invite link that supports tab views by @​BTreston in #​20063
• [PM-22228] Phishing events by @​voommen-livefront in #​20065
• [PM-25627] convert policy dialogs to drawers by @​JaredScar in #​20078
• [PM-35072] Allow account recovery for revoked members by @​kspearrin in #​20100
• [PM-32853] Add FromMarketing Property for TrialInitiation Path by @​sbrown-livefront in #​20144
• PM-33122: Rename feature flag pm-34500-strict-cipher-decryption by @​nikwithak in #​20151
• [PM-26383] Remove AutoConfirm feature flag from the FeatureFlag enum by @​JaredScar in #​20179
• [PM-27887] Keeper json importer by @​itsadrago in #​20200

🐛 Bug fixes

• [PM-33480] Fix false success toasts in integration save/delete by @​AlexRubik in #​19544
• [PM-33877] - handle blank custom field values in cipher form by @​jaasen-livefront in #​19676
• [PM-32456] - set canEdit and canDelete in onCipherSaved by @​jaasen-livefront in #​19694
• PM-33194 show appropriate error message for 409 by @​voommen-livefront in #​19713
• [PM-34064] - remove unnecessary wrapper div around web extension prompt dialog by @​jaasen-livefront in #​19739
• [PM-33301] Prevent Unverified Bank Account from Upgrade to Premium by @​sbrown-livefront in #​19745
• [PM-33524] Not able to set new Master Password in a previously TDE org by @​enmande in #​19810
• PM-33905 resolved plaholder text issue by @​bmbitwarden in #​19862
• [CL-1124] updated badge max width by @​BryanCunningham in #​19864
• [CL-1130] Fix storybook a11y and console errors for billing files by @​vleague2 in #​19916
• [CL-1130] Fix storybook a11y and console errors for platform files by @​vleague2 in #​19918
• [CL-1130] Fix storybook a11y and console errors for vault files by @​vleague2 in #​19920
• Downloading an attachment, appends a file extension. Even if original file didn't have one by @​jengstrom-bw in #​19931
• [PM-33554] Don't log out when trust denied for sdk key rotation by @​quexten in #​19961
• Revert "Revert "[PM-33210] fix(login): clear validation errors on region change"" by @​enmande in #​20007
• Auth/pm-34506 - Login Strategy Session Cache Expiration Adjustment by @​JaredSnider-Bitwarden in #​20009
• [PM-34685][Defect] Subscription status for organizations not updating with feature flag enabled by @​sbrown-livefront in #​20018
• [PM-34142] BUGFIX: Allow moving a newly created cipher to org by @​nikwithak in #​20025
• [PM-34579] Update Access Intelligence chart to fit the entire selected timespan on x-axis by @​lastbestdev in #​20026
• [PM-32463] Do not filter disabled orgs for Admin Console by @​shane-melton in #​20027
• [PM-34255] - SCIM Key Fix by @​jrmccannon in #​20036
• [PM-34575] Stop allCiphers$ firing twice by @​JaredScar in #​20067
• [PM-34781] exclude "no folder" from key rotation by @​mzieniukbw in #​20068
• [PM-14883] Strip non-numeric characters in credit card number display… by @​shane-melton in #​20070
• [PM-33554] Fix emergency access fingerprint by @​quexten in #​20072
• [PM-34792] - Fix Mp/Key prompt for SCIM API KEY by @​jrmccannon in #​20074
• PM-34863 Org name has a contrast issue by @​voommen-livefront in #​20083
• [PM-35055] fix account recovery policy config checkbox states by @​kspearrin in #​20141
• [PM-35258] Add archive confirmation to Desktop and fix right click menu by @​shane-melton in #​20208
• [PM-35246] Fix IdentityTokenResponse kdfConfig error by @​rr-bw in #​20209
• [CL-1167] BUG FIX: Fixed nav switcher text colors by @​lxiong-livefront in #​20214
• Fix eslint on main by @​quexten in #​20225
• [PM-35187] Store new default avatar colors as hexes by @​vleague2 in #​20236
• [PM-35318] Desktop v3/4 - Showing two "Archived" badge by @​gbubemismith in #​20239
• [PM-35330] Fix state not being updated on change kdf by @​quexten in #​20259
• [PM-35335] Fix bug making discard edits dialog show on navigate after… by @​mcamirault in #​20267
• [PM-35335] Fix bug making discard edits dialog show on navigate after… by @​mcamirault in #​20274
• Remove the desktop-specific Archived badge from ItemDetailsV2Compone… by @​gbubemismith in #​20277
• PM-35363 resolved stale child controllers by @​bmbitwarden in #​20295
• PM-35363 resolved stale child controllers (#​20295) by @​bmbitwarden in #​20307
• [PM-35458] fix status check by @​BTreston in #​20312
• fix status check (#​20312) by @​BTreston in #​20313
• Auth/PM-35336 - TokenService - prevent stale access token retrieval to fix logout on org user confirm by @​JaredSnider-Bitwarden in #​20334
• [PM-35240] RC cherry-pick: Add sync before forced kdf migration by @​Thomas-Avery in #​20340
• [PM-35330] RC cherry-pick: Fix state not being updated on change kdf by @​Thomas-Avery in #​20341
• CherryPick/Auth/PM-35336 - TokenService - prevent stale access token retrieval to fix logout on org user confirm by @​JaredSnider-Bitwarden in #​20342
• [PM-35484] Remove exemption for owners/admins for mp policy by @​BTreston in #​20398
• [PM-35484] Remove exemption for owners/admins for mp policy by @​BTreston in #​20418
• Auth/PM-36080 by @​JaredSnider-Bitwarden in #​20452
• CherryPick/Auth/PM-36080 (#​20452) by @​JaredSnider-Bitwarden in #​20463

⚙️ Maintenance

• [PM-25688] Migrate Folder API request model to TS strict by @​shane-melton in #​17269
• Added devcontainer setup (devcontainer.json, docker-compose.yml, postCreateCommand.sh) by @​connerbw in #​18541
• [deps]: Update actions/checkout action to v6.0.2 by @​renovate in #​18569
• [PM-31838] Update *ngIf/*ngFor to @​if/@​for in vault web components by @​jengstrom-bw in #​18820
• [PM-32864] Remove local masterkey hash by @​quexten in #​19277
• [PM-32919] Migrate DeleteAccountDialog to shared code by @​djsmith85 in #​19308
• Sanitize branch ref with toJSON by @​mandreko-bitwarden in #​19394
• [PM-18133] Remove generatePasswordCallback, rely on new service by @​blackwood in #​19400
• [CL-1113] Migrate auth CTAs to new icon API by @​BryanCunningham in #​19489
• [deps]: Update docker/setup-buildx-action action to v4 by @​renovate in #​19583
• [deps]: Update docker/setup-qemu-action action to v4 by @​renovate in #​19585
• DN Team Codeowners Rename by @​coltonhurst in #​19595
• [BRE 1670] update token for build workflows by @​AmyLGalles in #​19660
• [deps]: Update dtolnay/rust-toolchain digest to 29eef33 by @​renovate in #​19841
• [deps]: Update dorny/test-reporter action to v3 by @​renovate in #​19855
• Bitwarden IPC improvements/refactor by @​coroiu in #​19935
• Added ownership of sdk-update workflow. by @​trmartin4 in #​19980
• Enable the custom.regex package manager to enable rust toolchain updates by @​neuronull in #​20035
• eslint: error on importing bitwarden licensed code into /libs**/* by @​djsmith85 in #​20054
• [PM-34574] Remove personal vault decrypt from AC by @​JaredScar in #​20066
• [PM-33101] Remove master key from uv service by @​quexten in #​20076
• Remove unused signature type enum by @​quexten in #​20091
• Auth/PM-34506 - LoginStrategyService - Refactor cache and timeout out into own services by @​JaredSnider-Bitwarden in #​20108
• [AppSec] AI Fix for Template Injection in GitHub Workflows Action by @​aikido-autofix in #​20113
• [AppSec] AI Fix for Template Injection in GitHub Workflows Action by @​aikido-autofix in #​20114
• [deps]: Update codecov/codecov-action action to v6 by @​renovate in #​20126
• [BRE-1004] Fix GHCR logic in Build Web and Publish Web by @​vgrassia in #​20163
• Add Skunkworks as co-owners of native passkeys by @​iinuwa in #​20184
• enable jest/no-alias-methods by @​cd-bitwarden in #​20187
• Add dev tag to GHCR by @​vgrassia in #​20234

📦 Dependency Updates

• [deps] SM: Update jest-diff to v30.3.0 by @​renovate in #​19843
• [deps] Platform: Update webpack-cli to v7 by @​renovate in #​19849
• Update sdk-internal to 0.2.0-main.646 by @​bw-ghapp in #​20057
• Update sdk-internal to 0.2.0-main.668 by @​bw-ghapp in #​20132
• Update sdk-internal to 0.2.0-main.672 by @​bw-ghapp in #​20140
• Update sdk-internal to 0.2.0-main.673 by @​bw-ghapp in #​20157
• Update sdk-internal to 0.2.0-main.681 by @​bw-ghapp in #​20194
• [SM-1762] Bump Jest to 30.3.0 by @​djsmith85 in #​20211
• Update sdk-internal to 0.2.0-main.687 by @​bw-ghapp in #​20220
• Update sdk-internal to 0.2.0-main.689 by @​bw-ghapp in #​20224
• Update sdk-internal to 0.2.0-main.692 by @​bw-ghapp in #​20251

🎨 Other

• [PM-32687] Create Claude skill to add more item types easily by @​gbubemismith in #​19301
• Add fix-angular-fixmes skill to resolve Angular FIXME migration comments by @​JaredScar in #​19426
• update gray-050 primitive by @​BryanCunningham in #​20016
• [PM-32091] Update postmessage by @​enmande in #​20064
• Autosync Crowdin Translations for web by @​bw-ghapp in #​20088
• Replace deprecated typescript.tsdk with js/ts.tsdk.path by @​willmartian in #​20146
• Autosync Crowdin Translations for web by @​bw-ghapp in #​20218
• [PM-25627] Fix type checks failing by @​JaredScar in #​20245
• Autosync Crowdin Translations for web by @​bw-ghapp in #​20264

bitwarden/server (bitwarden/server)

v2026.4.1: Version 2026.4.1

Compare Source

Overview

• Removed feature flag for automatic member confirmation settings
• Removed feature flag for unlock with passkey
• Removed feature flag for SCIM refactor
• Various under-the-hood improvements and minor bug fixes

Security notice: To resolve a bug with the local storage of API keys for the Bitwarden CLI, the next Bitwarden server release following this one will automatically rotate the personal API keys for users of the Bitwarden CLI. If you use the Bitwarden CLI for any automated workflows, update those workflows with your new API keys immediately following that release in order to maintain continuity.

What's Changed

:shipit: Feature Development

• [PM-34595] Add provider authorization attributes by @​eliykat in #​7389
• [PM-34230] server side constant for feature flag by @​voommen-livefront in #​7395
• Add SDK Sends API feature flag by @​adudek-bw in #​7254
• [PM-34177] Add feature flag for Organization Invite Links by @​r-tome in #​7404
• [PM-34177] Fix feature flag key value for Organization Invite Links by @​r-tome in #​7409
• [PM-34171] Add card scanner feature flag by @​SaintPatrck in #​7310
• PM-34686 Remove Summary Count Limit by @​prograhamming in #​7398
• [PM-32105] - Org ability feature flag by @​jrmccannon in #​7401
• [PM-33213] Remove FeatureFlag Around ResetPassword && PolicyRequirements by @​sven-bitwarden in #​7188
• [PM-32394] Implement Scim V2 features by @​JaredScar in #​7397
• [PM-34694] - add quick actions feature flag by @​jaasen-livefront in #​7412
• [PM-34146] Add GetManyConfirmedAcceptedByUserIdAsync(Guid userId) to the IPolicyRepository interface by @​JimmyVo16 in #​7392
• [PM-34178] Add entities, repository and database migrations for Organization Invite Link feature by @​r-tome in #​7407
• [PM-31894] remove storage reconciliation job and flags by @​kdenney in #​7424
• [PM-26383] Remove feature flag from server-side for autoconfirm by @​JaredScar in #​7402
• [PM-34805] Add new feature flag for Policy Drawers (pm-34804) in Constants.cs by @​JaredScar in #​7429
• [PM-34147] Add GetManyConfirmedAcceptedDetailsByUserAsync to IOrganizationUserRepository by @​JimmyVo16 in #​7399
• [PM-34500] Add PM-34500-strict-cipher-decryption feature flag by @​nikwithak in #​7387
• [PM-35072] Allow account recovery for revoked status users by @​kspearrin in #​7446
• [PM-34854] Add pm-34145-policies-in-accepted-state feature flag by @​eliykat in #​7449
• [PM-31941] Implement Feature Flag and Access Intelligence Refactor Integration by @​Banrion in #​7459
• [PM-34500] Fix Feature Flag pm-34500-strict-cipher-decryption name casing by @​nikwithak in #​7460
• [PM-30751] - add secure SSRF protection for internal IPs by @​jaasen-livefront in #​7256
• [PM-31909] Remove m3 flagged logic by @​connerbw in #​7352
• [PM-31911] Remove m3 flag definition by @​connerbw in #​7354
• [PM-34825] Add support for ml-dsa44 keypairs by @​quexten in #​7435
• [PM-31780] Add exempt from billing automation toggle by @​amorask-bitwarden in #​7438
• [PM-32068] - Org Ability Extended Cache by @​jrmccannon in #​7443
• [PM-33866] Revocation Reasons: DDL Edition by @​sven-bitwarden in #​7432
• chore: remove bulk reinvite and org accept init flags by @​vincentsalucci in #​7484
• Auth/Innovation/PM-4517 - Device Management - Add Last Activity Date by @​JaredSnider-Bitwarden in #​7302
• [PM-34060] Add bank account item type by @​gbubemismith in #​7112
• [PM-35154] collection SDK decryption feature flag to Constants.cs by @​JaredScar in #​7470
• [PM-34595] Update provider controllers to use authz attribute by @​eliykat in #​7450
• [PM-24927] Add payment optional support to trial initiation flow by @​cyprain-okeke in #​7418
• [PM-32069] Add ExtendedProviderAbilityCacheService by @​JimmyVo16 in #​7447
• PM-22228 Added Phishing events by @​voommen-livefront in #​7427
• [PM-32853] Add Trial Initiation Metadata for Marketing or Product by @​sbrown-livefront in #​7462
• feat(validation): [PM-32626] by @​Patrick-Pimentel-Bitwarden in #​7064
• [PM-32073] - Added Bulk Get Org Ability by @​jrmccannon in #​7476

🐛 Bug fixes

• [PM-22525] Log when provider admin accesses an org vault by @​BTreston in #​7379
• [PM-34679] Display Phase 2 prices and discount on org subscription page by @​amorask-bitwarden in #​7393
• [PM-34679] Fix Families 2019 Phase 2 price and discount display by @​amorask-bitwarden in #​7408
• PM-34391 fixes to eventsController by @​voommen-livefront in #​7405
• [PM-34728] Use top-level ProrationBehavior on schedule updates by @​amorask-bitwarden in #​7410
• [PM-33500] - delete attachments from deleted ciphers by @​jaasen-livefront in #​7208
• fix(change-email): [PM-34742] Change Email Sets Salt by @​Patrick-Pimentel-Bitwarden in #​7413
• [PM-34773] Fix storage addition during active Phase 2 of schedule by @​amorask-bitwarden in #​7420
• [PM-34255] - SCIM Api Key Fix by @​jrmccannon in #​7403
• fix(refactor): [PM-34246] Rename Set Password to Finalize Onboarding by @​Patrick-Pimentel-Bitwarden in #​7328
• Revert "fix(change-email): [PM-34742] Change Email Sets Salt" by @​Patrick-Pimentel-Bitwarden in #​7421
• PM-33194 single integration of a type only by @​voommen-livefront in #​7280
• [PM-22450] Bump Collection.RevisionDate on edits and access changes by @​r-tome in #​7380
• [PM-26043] Fix bug: can't add secrets manager to legacy plans by @​kdenney in #​7414
• [PM-22450] Bump date on migration script file CollectionBumpRevisionDateOnAccessChange by @​r-tome in #​7436
• [PM-33301] Add Functionality for Upgrading Using PayPal by @​sbrown-livefront in #​7183
• [PM-34866][PM-34865] Fix EnableAutomaticTaxAsync to update schedule phases by @​connerbw in #​7437
• Fix test clock awareness in schedule-aware cancellation by @​connerbw in #​7440
• Fix CollectionUsers/CollectionGroups table names for Seeder across all DB providers by @​mimartin12 in #​7441
• [PM-32463] Remove organization enabled filter from database query/view by @​shane-melton in #​7037
• Auth/PM-34130 - Fix DeviceAuthDetails constructor and stored procedure for EDD compliance by @​JaredSnider-Bitwarden in #​7416
• [PM-34390] - Fixing Group/Provider User by @​jrmccannon in #​7431
• [PM-33539] Fix wrong model response type for file model size by @​quexten in #​7474
• [PM-35234] Prevent appending duplicate org user in validator request by @​BTreston in #​7486
• [PM-34427] Fix Users can edit and save sends with the hide email address option enabled by @​harr1424 in #​7511

⚙️ Maintenance

• [PM-34456] Innovation Sprint: Enable generating automated release notes by @​djsmith85 in #​7362
• [FIX] Image tag max length logic by @​gitclonebrian in #​7396
• [PM-29152] Rename VNextSavePolicyCommand to SavePolicyCommand and remove deprecated policy interfaces by @​r-tome in #​7364
• test(change-email): [PM-34742] Change Email Sets Salt Attempt 2 by @​Patrick-Pimentel-Bitwarden in #​7422
• [PM-34383] Add import validation allowing providers to perform imports by @​harr1424 in #​7394
• [PM-33044] Provider Ability Refactor EventService by @​JimmyVo16 in #​7411
• [PM-34823] Remove missed uses of PolicyRequirements flag by @​eliykat in #​7426
• [deps]: Update docker/login-action action to v4 by @​renovate[bot] in #​7346
• [deps]: Update docker/setup-qemu-action action to v4 by @​renovate[bot] in #​7223
• [deps]: Update codecov/codecov-action action to v6 by @​renovate[bot] in #​7455
• BRE-1004 - Add write packages permission by @​vgrassia in #​7457
• [BRE-1004] Fix container image push logic by @​vgrassia in #​7464
• [deps]: Update actions/create-github-app-token action to v3 by @​renovate[bot] in #​7345
• [deps]: Update dtolnay/rust-toolchain digest to 29eef33 by @​renovate[bot] in #​7341
• [deps]: Update docker/setup-buildx-action action to v4 by @​renovate[bot] in #​7222
• [BRE-1533] Update trigger for Bitwarden lite builds by @​vgrassia in #​7479
• [BRE-1670] replace PAT tokens with app token by @​AmyLGalles in #​7434
• Add dev tags back to GHCR for US-DEV by @​vgrassia in #​7492
• [PM-35150] Make Setup testable and add test for install by @​justindbaur in #​7445
• [PM-35235] Make PUT Policy identical to PUT Policy/VNext by @​sven-bitwarden in #​7485
• chore: remove leftover implied reference to create default location ff by @​vincentsalucci in #​7499

📦 Dependency Updates

• [deps] Billing: Update swashbuckle-aspnetcore monorepo to 10.1.7 by @​renovate[bot] in #​7008
• [deps] Billing: Update Kralizek.AutoFixture.Extensions.MockHttp to 2.2.1 by @​renovate[bot] in #​6556
• [deps] DbOps: Update Microsoft.Data.SqlClient to v7 by @​renovate[bot] in #​7344
• [deps] DbOps: Update dbup-sqlserver to v7 by @​renovate[bot] in #​7218
• [deps]: Update webpack to v5.105.4 by @​renovate[bot] in #​7007

🎨 Other

• [PM-31144] Edit Families 2019 renewal email subject by @​sbrown-livefront in #​7406
• Add SeederApi PlayData delete scheduled job by @​MGibson1 in #​7281
• Auth-owned MRs for minor/patch updates for their dotnet monorepo deps by @​trmartin4 in #​7451
• Add scenario docs for Seeder adoption and trim CLI reference by @​theMickster in #​7456
• [BRE-1413] Empty commit to test hash change in Canary by @​pixman20 in #​7471
• [BRE-1823] Bumping hash for canary testing by @​pixman20 in #​7497
• [BRE-1823] Bumping hash for canary testing by @​pixman20 in #​7498

Full Changelog: https://github.com/bitwarden/server/compare/v2026.4.0...v2026.4.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This MR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this MR, check this box

---

This MR has been generated by Renovate Bot.