Bitwarden silently resets your account settings every time you log out and log back in, without the user's knowledge - security problem.

[tdbe]

Steps To Reproduce

• Install Bitwarden on a new device from google play store (tried google pixel 10 xl, android 16) (also tried android 13, samsung)
• Log in (email, password, 2fa, remember me).
• Set your settings: Other settings: Clear clipboard: 10s, Allow sync on refresh: true. Account Security: Session timeout: 1minute.
• Then Lock, then Log out.
• Then Log in again.
• Your settings are now all reset to defaults.

Major security risk: user still thinks their clipboard will be cleared in 10s. Hands the phone to someone else tomorrow. The password is still in the clipboard. -- No matter what your agenda is, may I suggest you have a "clear clipboard on lock" with ON by Default??????? Most if not ALL open source password managers do this.

Expected Result

The settings are saved in the logged in account's settings page. This means the user expects the settings to be there when they log in. You should tie the settings to an ID generated by the device id + the user account.

The fact that you reset the settings on us without telling us, leads to major password leak issues as the user doesn't know the app no loonger locks or logs out immediately / according to their explicit settings. And also the clipboard is not cleared any more, without warning.

Actual Result

The settings are saved in the logged in account's settings page. This means the user expects the settings to be there when they log in. You should tie the settings to an ID generated by the device id + the user account.

The fact that you reset the settings on us without telling us, leads to major password leak issues as the user doesn't know the app no loonger locks or logs out immediately / according to their explicit settings. And also the clipboard is not cleared any more, without warning.

Screenshots or Videos

No response

Additional Context

No response

Build Version

Pixel 10 (app from mobileapp.bitwarden.com/fdroid/repo):

Version: 2026.4.0 (21434)
📱 google Pixel 10 XL 🤖 16@36 📦 prod -fdroid
🧱 commit: 61955d7
💻 build source: bitwarden/android/actions/runs/23952219208/attempts/1
🦀 SDK: 2.0.0-5676-14521973
🌩 Server: 2026.4.1 @ US

Samsung tablet (app from google play store):

Version: 2026.4.0 (21434)
📱 samsung SM-T97x 🤖 13@33 📦 prod
🧱 commit: 61955d7
💻 build source: bitwarden/android/actions/runs/23952219208/attempts/1
🦀 SDK: 2.0.0-5676-14521973
🌩 Server: 2026.4.1 @ US

What server are you connecting to?

US

Self-host Server Version

No response

Environment Details

Pixel 10 XL. Android 16.
Samsung, Android 13.

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[bitwarden-bot]

Thank you for your report! We've added this to our internal board for review.
ID: PM-36883

[SaintPatrck]

@tdbe your reproduction steps include "Log Out". When a user logs out the expected behavior is to clear their account settings exactly like you're describing. The only exception to that is when the Session Timeout is set to Logout, which we consider a "soft logout", and we partially retain your settings (e.g. PIN, timeout action, and timeout interval).

Can you turn on Flight Recorded and leave it on until the behavior manifests again, as I requested in #6882? That will clearly indicate if/why LOGOUT is being performed, and why settings are being cleared. We're looking for the log line, logout reason=.... With that, we can tell definitively whether what you're experiencing is a true bug or one of the documented logout paths firing without an explicit user action.

[tdbe]

Here I describe the action of logging out manually on purpose by pressing the log out button. I point out it's a major UX misinformation. It's as if I log in to Whatsapp or Signal, make my phone number private, then log out and log in again and my phone number secretly became reset to public again without my knowledge. And you're saying this is on purpose. Well, if it's on purpose then you absulutely must at the very very very least clear the clipboard on lock as a default setting. And when the user logs in, show a popup saying Warning: your settings have been reset to defaults. No other app silently resets settings on you by design.

This "we silently delete your settings by design" functionality has 0 paths that aren't directly hurtful to the user, and 0 paths in which it is a security issue. As a matter of fact, deleting your security settings IS the security issue. The settings are part of your account + device id. they should always be applied when the account + device is present.

[pamperer562580892423]

Well, if it's on purpose then you absulutely must at the very very very least clear the clipboard on lock as a default setting.

Well, as it happens, this was just introduced for the browser extensions:

 

I would like to see this in the other Bitwarden apps/clients too, as it really does make sense to have that minimal security safety net no matter what.

[pamperer562580892423]

BTW, could you copy & paste the full version details from your BW Android app in here / or into your OP here? (Settings --> About --> Version)

[tdbe]

BTW, could you copy & paste the full version details from your BW Android app in here / or into your OP here? (Settings --> About --> Version)

I already put it under:

Build Version
2026.4.0 (21434)

[pamperer562580892423]

BTW, could you copy & paste the full version details from your BW Android app in here / or into your OP here? (Settings --> About --> Version)

I already put it under:

Build Version
2026.4.0 (21434)

I meant the complete copy & paste content from the Android app (Settings --> About --> Version). It looks like this (freshly copied & pasted from my device):

© Bitwarden Inc. 2015-2026

Version: 2026.4.0 (21434)
📱 Fairphone FP5 🤖 15@35 📦 prod
🧱 commit: 61955d7
💻 build source: bitwarden/android/actions/runs/23952219208/attempts/1
🦀 SDK: 2.0.0-5676-14521973
🌩 Server: 2026.4.1 @ EU

[JayX83]

It’d honestly be way better if user settings were saved to the cloud so whenever we log into our account everything is already there automatically. It’s a pain in the butt having to reconfigure everything every single time after logging out. Same thing happens with other settings too, especially under "Generator" where stuff like email forwarding settings and other configs keep getting reset as well.

[pamperer562580892423]

@JayX83 As much as I also like to tackle "features" (changes, requests etc.) here on GitHub, in connection to "bugs"... please bear in mind that Bitwarden uses GitHub (the "issue" sections) only for bug reports... "feature requests" are to be discussed / created / voted on on the Bitwarden Community Forum. (and therefore are mostly ignored here... 🤷🏻‍♂️)

As it happens, there is an existing feature request for being able to "sync settings": https://community.bitwarden.com/t/sync-bitwarden-settings-like-lock-after-x-minutes-or-pin/5203