Bitwarden CLI fails to decrypt attachments (Type 60 / Export zip)

[0neTX]

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.36.0
• Web-vault version: v2026.4.1
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: SQLite
• Database version: 3.51.3
• Uses config.json: true
• Uses a reverse proxy: true
• IP Header check: true (X-Forwarded-For)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• TZ environment: Europe/Paris
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://**********",
  "domain_origin": "*****://**********",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": false,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/logs/access.log",
  "log_level": "error",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 2,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***********************",
  "smtp_from_name": "***********",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "***********************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://***************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": false,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.36.0

Deployment method

Official Container Image

Custom deployment method

Description
When attempting to download or export item attachments using the official Bitwarden CLI from a Vaultwarden server, the command consistently fails to decrypt the files.

The vault is configured to use Argon2id for Key Derivation. The vault authenticates and unlocks successfully, and exporting just the passwords (bw export --format encrypted_json or json) works flawlessly. However, any CLI operation that involves fetching attachments
results in a decryption error.

This issue has been reproduced both inside containerized environments (Ubuntu chiseled) and directly on the host (Windows PowerShell natively).

Steps to reproduce

1. Have a Vaultwarden server (latest stable) configured with Argon2id KDF.
2. Ensure you have at least one vault item containing an attachment.
3. Authenticate and unlock the vault using the latest Bitwarden CLI:

1 bw config server https://vaultwaren.yourdomain.com
2 bw login --apikey --method 0
3 export BW_SESSION=$(bw unlock --raw)
4 bw sync
4. Test A (Individual Attachment): Attempt to download the attachment:

1 bw get attachment <attachment_id> --itemid <item_id> --output ./test_attachment.ext
Result: Fails with Invalid symmetric type, got type 60 with 1 parts.

5. Test B (Full Vault Export with Attachments): Attempt to export the vault as a zip (which includes attachments):
   1 bw export --format zip
   Result: Fails with Error: Error decrypting attachment.

Expected behaviour
The CLI should successfully decrypt and download attachments individually (bw get attachment) and as part of a full vault export (bw export --format zip), just as it successfully decrypts the standard vault database.

Troubleshooting Data
Test A Logs (bw get attachment):

1 [DBG] [BW CLI] Executing: bw get attachment 4b47a5c5616faca06b36 --itemid 02cd1a94-6645-4ac3-bba1-8357d7ce6322 --output "/data/attachments/discord_backup_codes.txt"
2 [ERR] CLI command failed. ExitCode=1. Error: Failed to decrypt cipher buffer: DecryptError: EncString error, Invalid symmetric type, got type 60 with 1 parts
3 An error occurred while saving the attachment.

Test B Logs (bw export --format zip):

1 > bw export --format zip
2 ? Master password: [hidden]
3 Error: Error decrypting attachment

Environment

• Vaultwarden version: Latest stable
• Install method: Docker
• Clients used: Bitwarden CLI (bw)
• Bitwarden CLI versions tested: v2026.5.0 (Latest)
• KDF: Argon2id

Reverse Proxy

traefik

Host/Server Operating System

Linux

Operating System Version

No response

Clients

CLI

Client Version

v2026.5.0 (Latest)

Steps To Reproduce

1. Have a Vaultwarden server (latest stable) configured with Argon2id KDF.
2. Ensure you have at least one vault item containing an attachment.
3. Authenticate and unlock the vault using the latest Bitwarden CLI:

1 bw config server https://vaultwaren.yourdomain.com
2 bw login --apikey --method 0
3 export BW_SESSION=$(bw unlock --raw)
4 bw sync
4. Test A (Individual Attachment): Attempt to download the attachment:

1 bw get attachment <attachment_id> --itemid <item_id> --output ./test_attachment.ext
Result: Fails with Invalid symmetric type, got type 60 with 1 parts.

5. Test B (Full Vault Export with Attachments): Attempt to export the vault as a zip (which includes attachments):
   1 bw export --format zip
   Result: Fails with Error: Error decrypting attachment.

Expected behaviour
The CLI should successfully decrypt and download attachments individually (bw get attachment) and as part of a full vault export (bw export --format zip), just as it successfully decrypts the standard vault database.

Troubleshooting Data
Test A Logs (bw get attachment):

1 [DBG] [BW CLI] Executing: bw get attachment 4b47a5c5616faca06b36 --itemid 02cd1a94-6645-4ac3-bba1-8357d7ce6322 --output "/data/attachments/discord_backup_codes.txt"
2 [ERR] CLI command failed. ExitCode=1. Error: Failed to decrypt cipher buffer: DecryptError: EncString error, Invalid symmetric type, got type 60 with 1 parts
3 An error occurred while saving the attachment.

Test B Logs (bw export --format zip):

1 > bw export --format zip
2 ? Master password: [hidden]
3 Error: Error decrypting attachment

Expected Result

The CLI should successfully decrypt and download attachments individually (bw get attachment) and as part of a full vault export (bw export --format zip), just as it successfully decrypts the standard vault database.

Actual Result

1 [DBG] [BW CLI] Executing: bw get attachment 4b47a5c5616faca06b36 --itemid 02cd1a94-6645-4ac3-bba1-8357d7ce6322 --output "/data/attachments/discord_backup_codes.txt"
2 [ERR] CLI command failed. ExitCode=1. Error: Failed to decrypt cipher buffer: DecryptError: EncString error, Invalid symmetric type, got type 60 with 1 parts
3 An error occurred while saving the attachment.

Logs

Screenshots or Videos

No response

Additional Context

The issue is strictly isolated to attachment retrieval. The error Invalid symmetric type, got type 60 with 1 parts suggests an issue with how the CLI parses the encryption string provided by Vaultwarden for attachments.

[BlackDex]

I'm unable to reproduce this issue. I have tried both PBKDF and Argon2id encryptions, all work without issues.
I can download attachments just fine.

Are you able to download these attachments via the Web-Vault or any other client besides the CLI?
How did you installed the CLI? Have you tried the pre-built binary from Bitwarden it self? https://github.com/bitwarden/clients/releases/tag/cli-v2026.5.0

What do the logs of Vaultwarden say?