Version 2026.4.2

Overview

• Bug fix for subscription handling

What's Changed

🐛 Bug fixes

• [PM-36613] Void open invoices for unpaid subscriptions by @amorask-bitwarden in #7589

📦 Dependency Updates

• Update Bitwarden.Server.Sdk to 1.5.2 by @justindbaur in #7559

🎨 Other

• Bumped version to 2026.4.2 by @connerbw in #7619

Full Changelog: v2026.4.1...v2026.4.2

Version 2026.4.1

Overview

• Removed feature flag for automatic member confirmation settings
• Removed feature flag for unlock with passkey
• Removed feature flag for SCIM refactor
• Various under-the-hood improvements and minor bug fixes

What's Changed

Feature Development

• [PM-34595] Add provider authorization attributes by @eliykat in #7389
• [PM-34230] server side constant for feature flag by @voommen-livefront in #7395
• Add SDK Sends API feature flag by @adudek-bw in #7254
• [PM-34177] Add feature flag for Organization Invite Links by @r-tome in #7404
• [PM-34177] Fix feature flag key value for Organization Invite Links by @r-tome in #7409
• [PM-34171] Add card scanner feature flag by @SaintPatrck in #7310
• PM-34686 Remove Summary Count Limit by @prograhamming in #7398
• [PM-32105] - Org ability feature flag by @jrmccannon in #7401
• [PM-33213] Remove FeatureFlag Around ResetPassword && PolicyRequirements by @sven-bitwarden in #7188
• [PM-32394] Implement Scim V2 features by @JaredScar in #7397
• [PM-34694] - add quick actions feature flag by @jaasen-livefront in #7412
• [PM-34146] Add GetManyConfirmedAcceptedByUserIdAsync(Guid userId) to the IPolicyRepository interface by @JimmyVo16 in #7392
• [PM-34178] Add entities, repository and database migrations for Organization Invite Link feature by @r-tome in #7407
• [PM-31894] remove storage reconciliation job and flags by @kdenney in #7424
• [PM-26383] Remove feature flag from server-side for autoconfirm by @JaredScar in #7402
• [PM-34805] Add new feature flag for Policy Drawers (pm-34804) in Constants.cs by @JaredScar in #7429
• [PM-34147] Add GetManyConfirmedAcceptedDetailsByUserAsync to IOrganizationUserRepository by @JimmyVo16 in #7399
• [PM-34500] Add PM-34500-strict-cipher-decryption feature flag by @nikwithak in #7387
• [PM-35072] Allow account recovery for revoked status users by @kspearrin in #7446
• [PM-34854] Add pm-34145-policies-in-accepted-state feature flag by @eliykat in #7449
• [PM-31941] Implement Feature Flag and Access Intelligence Refactor Integration by @Banrion in #7459
• [PM-34500] Fix Feature Flag pm-34500-strict-cipher-decryption name casing by @nikwithak in #7460
• [PM-30751] - add secure SSRF protection for internal IPs by @jaasen-livefront in #7256
• [PM-31909] Remove m3 flagged logic by @connerbw in #7352
• [PM-31911] Remove m3 flag definition by @connerbw in #7354
• [PM-34825] Add support for ml-dsa44 keypairs by @quexten in #7435
• [PM-31780] Add exempt from billing automation toggle by @amorask-bitwarden in #7438
• [PM-32068] - Org Ability Extended Cache by @jrmccannon in #7443
• [PM-33866] Revocation Reasons: DDL Edition by @sven-bitwarden in #7432
• chore: remove bulk reinvite and org accept init flags by @vincentsalucci in #7484
• Auth/Innovation/PM-4517 - Device Management - Add Last Activity Date by @JaredSnider-Bitwarden in #7302
• [PM-34060] Add bank account item type by @gbubemismith in #7112
• [PM-35154] collection SDK decryption feature flag to Constants.cs by @JaredScar in #7470
• [PM-34595] Update provider controllers to use authz attribute by @eliykat in #7450
• [PM-24927] Add payment optional support to trial initiation flow by @cyprain-okeke in #7418
• [PM-32069] Add ExtendedProviderAbilityCacheService by @JimmyVo16 in #7447
• PM-22228 Added Phishing events by @voommen-livefront in #7427
• [PM-32853] Add Trial Initiation Metadata for Marketing or Product by @sbrown-livefront in #7462
• feat(validation): [PM-32626] by @Patrick-Pimentel-Bitwarden in #7064
• [PM-32073] - Added Bulk Get Org Ability by @jrmccannon in #7476

🐛 Bug fixes

• [PM-22525] Log when provider admin accesses an org vault by @BTreston in #7379
• [PM-34679] Display Phase 2 prices and discount on org subscription page by @amorask-bitwarden in #7393
• [PM-34679] Fix Families 2019 Phase 2 price and discount display by @amorask-bitwarden in #7408
• PM-34391 fixes to eventsController by @voommen-livefront in #7405
• [PM-34728] Use top-level ProrationBehavior on schedule updates by @amorask-bitwarden in #7410
• [PM-33500] - delete attachments from deleted ciphers by @jaasen-livefront in #7208
• fix(change-email): [PM-34742] Change Email Sets Salt by @Patrick-Pimentel-Bitwarden in #7413
• [PM-34773] Fix storage addition during active Phase 2 of schedule by @amorask-bitwarden in #7420
• [PM-34255] - SCIM Api Key Fix by @jrmccannon in #7403
• fix(refactor): [PM-34246] Rename Set Password to Finalize Onboarding by @Patrick-Pimentel-Bitwarden in #7328
• Revert "fix(change-email): [PM-34742] Change Email Sets Salt" by @Patrick-Pimentel-Bitwarden in #7421
• PM-33194 single integration of a type only by @voommen-livefront in #7280
• [PM-22450] Bump Collection.RevisionDate on edits and access changes by @r-tome in #7380
• [PM-26043] Fix bug: can't add secrets manager to legacy plans by @kdenney in #7414
• [PM-22450] Bump date on migration script file CollectionBumpRevisionDateOnAccessChange by @r-tome in #7436
• [PM-33301] Add Functionality for Upgrading Using PayPal by @sbrown-livefront in #7183
• [PM-34866][PM-34865] Fix EnableAutomaticTaxAsync to update schedule phases by @connerbw in #7437
• Fix test clock awareness in schedule-aware cancellation by @connerbw in #7440
• Fix CollectionUsers/CollectionGroups table names for Seeder across all DB providers by @mimartin12 in #7441
• [PM-32463] Remove organization enabled filter from database query/view by @shane-melton in #7037
• Auth/PM-34130 - Fix DeviceAuthDetails constructor and stored procedure for EDD compliance by @JaredSnider-Bitwarden in #7416
• [PM-34390] - Fixing Group/Provider User by @jrmccannon in #7431
• [PM-33539] Fix wrong model response type for file model size by @quexten in #7474
• [PM-35234] Prevent appending duplicate org user in validator request by @BTreston in #7486
• [PM-34427] Fix Users can edit and save sends with the hide email address option enabled by @harr1424 in #7511

⚙️ Maintenance

• [PM-34456] Innovation Sprint: Enable generating automated release notes by @djsmith85 in #7362
• [FIX] Image tag max length logic by @gitclonebrian in #7396
• [PM-29152] Rename VNextSavePolicyCommand to SavePolicyCommand and remove deprecated policy interfaces by @r-tome in #7364
• test(change-email): [PM-34742] Change Email Sets Salt Attempt 2 by @Patrick-Pimentel-Bitwarden in #7422
• [PM-34383] Add import validation allowing providers to perform imports by @harr1424 in #7394
• [PM-33044] Provider Ability Refactor EventService by @JimmyVo16 in #7411
• [PM-34823] Remove missed uses of PolicyRequirements flag by @eliykat in #7426
• [deps]: Update docker/login-action action to v4 by @renovate[bot] in #7346
• [deps]: Update docker/setup-qemu-action action to v4 by @renovate[bot] in #7223
• [deps]: Update codecov/codecov-action action to v6 by @renovate[bot] in #7455
  *...

Version 2026.4.0

Overview

• Removed feature flag for vault items archive
• Removed feature flag for default saving location when organization data ownership policy is enabled
• Removed feature flag for hiding alternate login methods when SSO is required
• Removed feature flag for several UX improvements
• Removed feature flag for provider initialization refactor
• Added support for deeplink redirect with https schema
• Various under-the-hood improvements and minor bug fixes

What's Changed

Feature Development

• [PM-31736] User-friendly cookie vendor error message by @dereknance in #7270
• [PM-33972] Remove pm-26140-marketing-initiated-premium-flow feature flag by @trmartin4 in #7275
• [PM-32783] Add electron-storage-cache flag by @dani-garcia in #7286
• [PM-33890] Set up Stripe Subscription Schedule API operations by @amorask-bitwarden in #7289
• feat(redirect): [PM-30810] Https Redirection for Cloud Users by @Patrick-Pimentel-Bitwarden in #6852
• [PM-22110] Remove pm-22110-disable-alternate-login-methods feature flag by @trmartin4 in #7274
• [PM-22435] chore: remove create default collections ff ref by @vincentsalucci in #7298
• [PM-33086/7] Remove the feature flag RefactorOrgAcceptInit by @r-tome in #7287
• [PM-28420] Remove feature flag by @BTreston in #7282
• [PM-33087] Remove RefactorOrgAcceptInit feature flag by @r-tome in #7325
• [PM-15489] 2fa account recovery by @kspearrin in #7139
• Auth/PM-34400 - Add desktop devices feature flag by @JaredSnider-Bitwarden in #7361
• [PM-32009] Add New Item Type Feature Flag by @nick-livefront in #7358
• [PM-34410] Attachment Upload Feature Flag by @nick-livefront in #7357
• Add feature flag for access intelligence trend chart by @Banrion in #7363
• [PM-33212] Finalize Org Data Ownership Policy Requirement by @sven-bitwarden in #7210
• [PM-332124] Finalize PolicyRequirement + 2FA Feature Flag by @sven-bitwarden in #7209
• [PM-19168] Remove Archive Feature Flag guards by @nick-livefront in #7371
• [PM-31885] Consolidate all Send policies to a single policy by @harr1424 in #7113
• [PM-31905] Remove m2 flag definition by @cturnbull-bitwarden in #7353
• [PM-28190] Add feature flag: pm-28190-cipher-sharing-ops-to-sdk Feature Flag by @nikwithak in #6887

🐛 Bug fixes

• [PM-33980] Only verify UseMyItems when claim exists by @amorask-bitwarden in #7278
• [PM-32450] Allow SMTP TLS CRL status retrieval failures by @dereknance in #7271
• [PM-19143] Fix custom permissions not persisting via InviteOrganizationUsersCommand by @r-tome in #7285
• [PM-34049] Fix PoliciesController authorize attribute by @eliykat in #7303
• [PM-34048 ] Add limit item deletion to manage collection permission to Org view/edit by @vincentsalucci in #7296
• [PM-31822] Fix file Send size validation by @mcamirault in #7311
• [PM-34440] Fix cache duplicate-key error by @JimmyVo16 in #7360
• [PM-30185] Fix email fallback logic to ignore empty primary email by @BTreston in #7359
• [PM-32829] Cipher Key for unassigned ciphers by @nick-livefront in #7164
• [PM-32260] Fix missing device approval event logs for accepted users by @r-tome in #7247
• [PM-26581] Add missing model.type param by @BTreston in #7369
• [PM-29981] Add repo call to check if existing collection already has access setup by @BTreston in #7365
• [PM-34570] Expired or Cancelled Claimed User Throws Billing Exception on Subscription Cancel by @sbrown-livefront in #7382
• fix(change-email): [PM-34742] Change Email Sets Salt (#7422) by @Patrick-Pimentel-Bitwarden in #7423

⚙️ Maintenance

• [BRE-1004] Add GHCR Support to Build/Publish workflows by @vgrassia in #7263
• [PM-32066] - Add Org Ability View by @jrmccannon in #7194
• [PM-33895] Filter [BindNever] parameters from OpenAPI schema by @dani-garcia in #7257
• [deps]: Update docker/build-push-action action to v7 by @renovate[bot] in #7221
• [PM-32067] - Add Provider Ability View by @jrmccannon in #7200
• [PM-33041] Organization Ability: Refactor CipherResponseModel by @JimmyVo16 in #7202
• [PM-33043] Refactor PolicyService, CipherService, and TwoFactorAuthenticationValidator by @JimmyVo16 in #7214
• [PM-33042] Refactor EventService to remove deprecated GetOrganizationAbilitiesAsync by @JimmyVo16 in #7240
• [deps]: Update dorny/test-reporter action to v3 by @renovate[bot] in #7347
• [PM-34462] Improve role handling in provider controllers by @eliykat in #7372
• [PM-3836] Tools - Make Controllers, Services and API Models nullable by @harr1424 in #7212
• Add release yml to rc by @djsmith85 in #7466

📦 Dependency Updates

• [deps] Auth: Update Duende.IdentityServer to 7.4.6 by @renovate[bot] in #6323
• [PM-33499] Permissive base64 decoder by @dereknance in #7207
• [deps]: Update sass to v1.98.0 by @renovate[bot] in #7343
• [deps]: Update prettier to v3.8.1 by @renovate[bot] in #6702

🎨 Other

• PM-33964 - Fix silent switch defaults in Seeder with fail-fast throws by @theMickster in #7277
• [PM-33819] Enforce use of authorize attributes by @eliykat in #7242
• Arch/cipher scene by @MGibson1 in #7241
• [PM-33894] Schedule price increases by @amorask-bitwarden in #7293
• [PM-34082] Seed passkeys by @MGibson1 in #7265
• Added RSA keypair pool + Caching to Seeder's RustSdk by @theMickster in #7288
• [PM-33896] Update Families organization on schedule transition by @cturnbull-bitwarden in #7300
• [PM- 30370] [PM-28827] Add Salt to Auth and KM DTOs by @ike-kottlowski in #7239
• [PM-32008] Add scope comment for SecurityTaskAuthorizationHandler by @nick-livefront in #7291
• [PM-21926] Add salt to Admin Console DTOs by @ike-kottlowski in #7231
• [PM-33043] Fix the failing test. by @JimmyVo16 in #7316
• [PM-33899] Release schedule on terminal subscription operations by @amorask-bitwarden in #7305
• PM-34033 - Add individual user seeding to preset pipeline by @theMickster in #7304
• PM-34033 - Add user & org API key seeding and improve CLI output by @theMickster in #7324
• [PM-34039] [Defect] Discount Eligibility Endpoint Shows "New Users Only" Discounts by @sbrown-livefront in #7301
• Update to IHostBuilder style by @justindbaur in #6843
• [PM-32216] Create Stripe Checkout Session Endpoint by @sbrown-livefront in #7246
• [PM-33901] Remove unused UpdateTaxInformation by @cturnbull-bitwarden in #7320
• [PM-33901] Implement schedule-aware tax handling by @cturnbull-bitwarden in #7319
• PM-33964 - Unify CipherSeeder factories behind CipherSeed domain model. by @theMickster in #7330
• Clarify potential misleading comment by @theMickster in #7339
• Rename CLI endpoint to Preset instead of Seed by @theMickster in #7340
• Move IEventService to Dirt by @eliykat in #7272
• [PM-33898] Schedule-aware storage adjustments by @amorask-bitwarden in #7350
• [PM-33891] Migrate Cancel and Reinstate Paths by @sbrown-livefront in #7331
• [PM-33405] Add `...

Version 2026.3.2

• Removed feature flag for biometrics refactor on Windows
• Removed feature flag for updated organization invitation email
• Removed feature flag for updated organization confirmation email
• Removed feature flag for data recovery tool
• Removed feature flag for push notifications infrastructure updates
• Updated tax logic for Switzerland
• Various under-the-hood improvements and minor bug fixes

Thank you! 💙 A big shout-out to the following community members for their contributions!

mdusher - Add globalSettings.knownNetworks so that entire IP ranges can be used for trusting X-Forwarded-* headers

Warfields - Add PQC TLS Support

Version 2026.3.1

Fixed an issue that could cause cipher key corruption under certain conditions.

Version 2026.3.0

• Added option in system administration portal to disable My Items
• Removed feature flag for multi-thread decryption
• Removed feature flag for SSH key storage and SSH Agent
• Removed feature flag for creating My Items for users who are revoked then restored
• Removed feature flag for refactor of InMemoryApplicationCacheService instantiation to help prevent pod stampedes
• Various under-the-hood improvements and minor bug fixes

Thank you! 💙 A big shout-out to the following community members for their contributions!

lahma - Use SchedulerBuilder to configure Quartz

Version 2026.2.1

• Updated email templates for organization invitations
• Removed feature flag for Premium risk insights
• Removed feature flag for claimed domain account creation policy
• Removed feature flag for new organization metadata structure
• Various under-the-hood improvements and minor bug fixes

Thank you! 💙 A big shout-out to the following community members for their contributions!

[+jolness1+|https://github.com/jolness1] - Change hardcoded 5 key WebAuthn limit for login to check if premium

Version 2026.2.0

• Added endpoints to public API for revoke and restore members
• Removed feature flag for Premium risk insights
• Removed feature flag for improved loading states
• Removed feature flag for performance improvements to re-invite endpoint
• Various under-the-hood improvements and minor bug fixes

Thank you! 💙 A big shout-out to the following community members for their contributions!

jolness1 - Change hardcoded 5 key WebAuthn limit for login to check if premium

Version 2026.1.1

• Removed feature flag for disabling type zero encryption
• Removed feature flag for notifications to locked and inactive accounts
• Removed feature flag for redirect on SSO required error
• Users who inherit Premium from their organization membership now have 5Gb of storage
• Added new endpoints for Send
• Updates to email copy
• Security fixes for logging
• Various under-the-hood improvements and minor bug fixes

Version 2026.1.0

• Updates to welcome email for new users
• Removed feature flag for new unlock data model
• Removed feature flag for My Items
• Removed feature flag for organization users endpoint optimization
• Various under-the-hood improvements and minor bug fixes.