Released: May 21, 2026

Actualizaciones en Server and Console 2026.1.19.0

Características

Server

• Core - Added audit logging for Send Copy actions so administrators can track who shared entries and with whom.
• Core - Hardened the authorization cache key to prevent any future cache-poisoning regression (follow-up to CVE-2026-1768).
• Core - Improved authentication security to prevent external-provider sessions from bypassing password authentication under a different login method.
• Core - Improved Active Directory user creation performance.
• PAM - Added an option to skip TLS validation for the Windows Provider.
• Web - Added Command key support for multi-selection in the web interface, allowing Mac users to extend selections with Cmd-click.

Console

• Made minor updates.

Correcciones

Server

• CVE-2026-5171 Core - Fixed an issue where users without Activity Logs permission could still retrieve entry logs through the API.
• CVE-2026-7325 PAM - Fixed an LDAP coercion issue that could force DVLS to authenticate against a malicious LDAP server.
• CVE-2026-8477 Core - Fixed a security issue where sealed entries could be accessed through the partial sensitive-data endpoint without triggering unseal notifications.
• CVE-2026-9047 Core - Fixed an issue where adding an additional MFA factor could remove an existing MFA key.
• CVE-2026-9223 Core - Fixed a missing permission check that could allow users to create a new vault when importing an .rdx file referencing a non-existent vault.
• CVE-2026-9224 Core - Fixed an issue where Active Directory accounts could modify their own profile data through the API despite UI restrictions.
• CVE-2026-9245 Core - Fixed an open redirect vulnerability during external OAuth sign-in failures or cancellations.
• CVE-2026-9246 Core - Fixed an issue where handbook content and attachment metadata from sealed entries could be accessed without following the unseal workflow.
• CVE-2026-9247 Core - Fixed an issue where sealed credentials could be unsealed in another DVLS instance without notifying administrators, and improved handling of linked sealed credentials after import.
• CVE-2026-9248 Core - Fixed an issue where duplicating a connection could copy handbooks and attachments from entries the user could not access.
• CVE-2026-9249 Core - Fixed a password change bypass that allowed users to change passwords without providing the previous password.
• CVE-2026-9251 Core - Fixed an issue where non-admin users could bypass the Pending Approval flow by changing an entry's status.
• Core - Fixed a NullReferenceException in the notification processing service that could leave notifications stuck in an unprocessed state.
• Core - Fixed an issue where Linked (External) credentials were not saved correctly on SSH entries linked to an SSH Key.
• Core - Fixed attachments being lost when moving an entry to another vault.
• Core - Fixed folder duplication so sub-entries are duplicated along with the parent folder.
• Web - Fixed a TypeError when opening the Advanced Search dialog as a user without a User Vault.