this post was submitted on 03 May 2026
93 points (98.9% liked)

Selfhosted

58934 readers
664 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
93
Vaultwarden 1.36.0 patches vulnerabilities (github.com)
submitted 18 hours ago by sanitation@lemmy.radio to c/selfhosted@lemmy.world
10 comments fedilink hide all child comments
 

Security fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.

SSO Login CSRF - GHSA-pfp2-jhgq-6hg5, GHSA-w6h6-8r66-hcv7
User/Organization Enumeration - GHSA-hxqh-ff5p-wfr3
SSO existing-user binding - GHSA-j4j8-gpvj-7fqr
GHSA-6x5c-84vm-5j56
SSRF via Icon Endpoint - GHSA-72vh-x5jq-m82g
Some crate's updated and other minor security enhancements

These are private for now, pending CVE assignment.

https://github.com/dani-garcia/vaultwarden/releases/tag/1.36.0

Original Reddit discussion: https://www.reddit.com/r/selfhosted/comments/1t2qd26/vaultwarden_1360_patches_vulnerabilities/

you are viewing a single comment's thread
view the rest of the comments
[–] CameronDev@programming.dev 24 points 13 hours ago (3 children)

What makes you think self hosted password managers are any riskier than a cloud hosted one?

[–] ITGuyLevi@programming.dev 5 points 3 hours ago (1 children)

I'm in the camp that believes I'm not that interesting of a target, Bitwarden is a much better target than my Vaultwarden instance. Do I believe that makes me invisible to attackers, nope; if someone is targeting you, relying on an external company doesn't protect you, it just shifts the risks to them on paper.

[–] CameronDev@programming.dev 1 points 2 hours ago

Plus, if some is genuinely out to get you, they won't waste time finding a vaultwarden zeroday, they'll just bust out the wrenches....

[–] irmadlad@lemmy.world 3 points 4 hours ago (1 children)

Basically, because I feel that Bitwarden built this massive network with layers of security that I just don't possess, and their track record is very good in that regard. Yes, they have had some breaches, but none that I am aware of where its central user database or encrypted vaults were exposed. The latest was a supply chain incident in April 2026 which was part of a broader supply chain attack affecting Checkmarx, not a direct compromise of Bitwarden's infrastructure.

[–] CameronDev@programming.dev 2 points 2 hours ago (1 children)

They are also a much bigger target, and can't hide behind obscurity.

So its 6 of one, half a dozen of the other.

[–] irmadlad@lemmy.world 1 points 2 hours ago

Sure, I get that. It's just two things I don't selfhost.: Password Managers, and anything financial.

[–] immobile7801@piefed.social 19 points 12 hours ago

Yeah, mines not even exposed to the internet. I'd consider that more secure than cloud based bitwarden.