Credential Exchange Protocol (CXP) support on mobile in iOS 26
End user onboarding and UI: post-account creation, guide users to download the browser extension, pin the browser extension, and understand how to generate passwords, save logins, and autofill.
Improving performance load times for extension and autofill
Item Archiving: keep items safe in your vault but out of the way when using autofill and searching
Bitwarden Send: expanding Bitwarden Send to allow Send creators to require email verification via OTP to open the Send by the recipient
Core cryptography improvements
Desktop (MacOS) auto-type of passwords
Desktop (Windows) auto-type of passwords
Desktop (MacOS) native use of passkeys
Desktop (Windows) native use of passkeys
Credential Exchange Protocol (CXP) support on mobile - coming to Android
Bitwarden for business
Access Intelligence: New Risk Insights dashboard that allows organizations to roll-up credentials into applications, categorize the criticality and risk of applications, and send guided alerts to end users to update weak, reused, or exposed passwords.
Policies: Expansion to Organization data ownership policy that will allow creation of default collections, called My items, for enterprise users to have a personal space to save business items to
Policies: new policy to set default match URI detection policy for autofill
Policies: new enterprise policy that allows organizations to disable use of credit card item type
Policies: expansion to Organization data ownership policy that prompts users to transfer individual vault items to their My items space
Provide administrators the ability to change user’s email addresses
Reporting: improving performance load times for large organizations
Collections: Improving performance load times for large organizations
SIEM integration: Crowdstrike integration with Bitwarden event logs
Transparency
Items listed on the roadmap are active, in-development initiatives from the Bitwarden product and engineering team. As the Bitwarden team releases new features, this roadmap will be updated as a living document so that the Bitwarden community will know what new items are in progress as well as items likely to be released near-term.
Any dates provided by Bitwarden team members on any initiatives are targets and will be continually revised as the team gets closer to release. As with all features, the top priority is ensuring security and product stability.
Previous releases
You can also review previous release notes to learn more about recently launched features.
Posting a feature request Start here to learn how to post a feature request.
Can someone explain what this means? My first reaction is that it sounds like it may create a new attack surface for the browser extension…
Shared state refers to both shared login state and shared unlock state. That is, logging into your web vault, will log you into your browser extension, and vice versa, and, unlocking/locking one of them would unlock/lock both.
Yes, this requires a new IPC layer at large (currently being built), a new transport layer encryption (Most likely Noise), and new ways to determine trust. I.e
“How does the web vault (locally) know it’s talking to the browser before handing over secrets”
“How does the browser extension know it’s talking to the web vault (locally) before handing over secrets”
Passive sniffing, or secrets being swapped to disk is prevented by the transport layer encryption. The interesting part here is trust. (I don’t know the current progress on trust, so I won’t comment on that).
Of course, as always, this is covered by regular audits, is open source, and reviewed internally for security issues before releasing.
The most critical scenario is being able to log into the browser extension from the web, given that most users start with account creation on the web and the goal is to accelerate onboarding to the browser extension. For now, this may be limited to new users post-account creation. This is still in early technical research.
OK, thanks for the additional information. Having the Web Vault login automatically authenticate the browser extension would be a useful work-around to the delayed (or abandoned?) implementation of passkey login for the browser extensions.
However, forcing the browser extension to log out whenever the Web Vault logs out (which I think is what was implied by @Quexten’s “vice versa” comment above) does not seem to serve any useful purpose.
Where’s passkey exporting that has been talked about?
How about vault entry sorting by type, date, whatever? seems like there was some interest too considering the poll
Any plans to add “security dashboard” type of stuff to apps/extensions? most of the competition include this, and BW has this only in the web vault
There’s more i could ask about but considering it’s a confirmed roadmap I’m just asking about stuff that had some traction from BW itself from what I’ve seen
@gtran I note that Desktop (MacOS) auto-type of passwords is listed in the roadmap above. Can someone from Bitwarden advise when this will make it into a final release?
Currently, most crypto managers are single-algorithm encryption (AES), and it is hoped that 2026 will be a combination of dual-algorithm cascades (AES+Camellia, Twofish+Serpent) and so on.
Which features are coming next? My expections on a Roadmap Topic are sligthly different as it shows here. Last Release was announced in May 2025, now its nearly September 2025.
Would you please give us an rough overview, what we can get expect in the next few month. Please provide a schedule in which frequencies you woul release a Feature set or Bugfixing.
Is a release date known for the ‘Desktop (MacOS) auto-type of passwords’ and ‘Desktop (MacOS) native use of passkeys’ features of ‘End user experience and autofill’?
End user onboarding and UI: browser extension onboarding nudges to guide users on key features of the browser extension upon initial installation
to learn how to post a feature request.