starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 17:55:58 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #1867] Hidden secrets are visible for users with "hide password" option enabled. #1087

New issue
Closed
opened 2026-03-03 02:06:10 +03:00 by kerem · 2 comments
kerem commented 2026-03-03 02:06:10 +03:00
Owner
Copy link

Originally created by @mhooSec on GitHub (Jul 23, 2021).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1867

Subject of the issue

Hidden secrets are visible for users with "hide password" option enabled.

Deployment environment

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.22.1
  • Web-vault version: v2.20.4b
  • Running within Docker: true
  • Environment settings overridden: false
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Database version: 3.35.4
  • Clients used: Web
  • Reverse proxy and version: Nginx 1.18.0 (Ubuntu)
  • Other relevant information:

Steps to reproduce

1.- Create an organisation
2.- Invite an user to this organisation with role "User" and access control to a specific container with "hide password" checkbox on.
3.- Using the admin user, create a new password entry within the organisation, inside of the collection that we approved to the invited user. Something basic, like an username, a password, and a hidden custom field. Save.
4.- Log in with the newly invited user account, and inspect that entry in the collection. Secrets, such as the password and the hidden custom field, should be hidden.
5.- With this newly invited user account, remove the custom field in that entry and save.
6.- Using the user account, check that entry again. At the bottom of the modal box, there should be a clickable "1" next to Password History. Click and it will reveal the hidden value of the custom field, which was not viewable prior to its deletion.

Expected behaviour

As the organisation specified that secrets should be hidden from this specific user, that user should not be able to retrieve those secrets in any way. Therefore, when clicking "Password History" at the bottom of the entry, the secret value should not be shown if the user access control does not allow so.

Actual behaviour

The user was able to retrieve secrets from the organisation without authorisation.

--

Thank you for your attention.

Originally created by @mhooSec on GitHub (Jul 23, 2021). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1867 ### Subject of the issue Hidden secrets are visible for users with "hide password" option enabled. ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.22.1 * Web-vault version: v2.20.4b * Running within Docker: true * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.35.4 * Clients used: Web * Reverse proxy and version: Nginx 1.18.0 (Ubuntu) * Other relevant information: ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start vaultwarden? --> 1.- Create an organisation 2.- Invite an user to this organisation with role "User" and access control to a specific container with "hide password" checkbox on. 3.- Using the admin user, create a new password entry within the organisation, inside of the collection that we approved to the invited user. Something basic, like an username, a password, and a hidden custom field. Save. 4.- Log in with the newly invited user account, and inspect that entry in the collection. Secrets, such as the password and the hidden custom field, should be hidden. 5.- With this newly invited user account, remove the custom field in that entry and save. 6.- Using the user account, check that entry again. At the bottom of the modal box, there should be a clickable "1" next to Password History. Click and it will reveal the hidden value of the custom field, which was not viewable prior to its deletion. ### Expected behaviour As the organisation specified that secrets should be hidden from this specific user, that user should not be able to retrieve those secrets in any way. Therefore, when clicking "Password History" at the bottom of the entry, the secret value should not be shown if the user access control does not allow so. ### Actual behaviour The user was able to retrieve secrets from the organisation without authorisation. -- Thank you for your attention.
kerem closed this issue 2026-03-03 02:06:10 +03:00
kerem commented 2026-03-03 02:06:11 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Jul 23, 2021):

This looks like a client (web-vault) issue. Something we do not maintain. For items like this you should go to bitwarden.

<!-- gh-comment-id:885872111 --> @BlackDex commented on GitHub (Jul 23, 2021): This looks like a client (web-vault) issue. Something we do not maintain. For items like this you should go to bitwarden.
kerem commented 2026-03-03 02:06:11 +03:00
Author
Owner
Copy link

@jjlin commented on GitHub (Jul 23, 2021):

As @BlackDex said, this is implemented on the client side, and Vaultwarden only implements the server side, so this behavior is completely out of Vaultwarden's control.

That said, it does seem like an odd design decision to automatically append deleted "hidden" custom fields to the password history, considering they may or may not be passwords. Also, the unobfuscated password history for a cipher probably should not be shown to users to whom the "hide passwords" option applies.

If you feel strongly about this behavior, you can bring it up with Bitwarden at https://community.bitwarden.com/c/feature-requests/5/ or https://github.com/bitwarden/web/issues (not sure whether they would consider these bugs/issues or feature requests).

I would note that expecting that a "user should not be able to retrieve those secrets in any way" is unrealistic, though. Particularly with the web client, it's trivial for someone who knows what they're doing to use the browser's dev tools to reveal the "hidden" fields.

<!-- gh-comment-id:885948340 --> @jjlin commented on GitHub (Jul 23, 2021): As @BlackDex said, this is implemented on the client side, and Vaultwarden only implements the server side, so this behavior is completely out of Vaultwarden's control. That said, it does seem like an odd design decision to automatically append deleted "hidden" custom fields to the password history, considering they may or may not be passwords. Also, the unobfuscated password history for a cipher probably should not be shown to users to whom the "hide passwords" option applies. If you feel strongly about this behavior, you can bring it up with Bitwarden at https://community.bitwarden.com/c/feature-requests/5/ or https://github.com/bitwarden/web/issues (not sure whether they would consider these bugs/issues or feature requests). I would note that expecting that a "user should not be able to retrieve those secrets in any way" is unrealistic, though. Particularly with the web client, it's trivial for someone who knows what they're doing to use the browser's dev tools to reveal the "hidden" fields.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.8
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#1087
No description provided.