[GH-ISSUE #6525] Attachment download only possible when Admin Interface active. #2460

New issue

Closed

opened 2026-03-03 02:18:30 +03:00 by kerem · 10 comments

kerem commented 2026-03-03 02:18:30 +03:00

Owner

Copy link

Originally created by @pictosun on GitHub (Dec 4, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6525

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.34.3
• Web-vault version: v2025.7.0
• OS/Arch: linux/x86_64
• Running within a container: false (Base: Not applicable)
• Database type: SQLite
• Database version: 3.50.3
• Uses config.json: true
• Uses a reverse proxy: true
• IP Header check: true (X-Forwarded-For)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, ADMIN_TOKEN, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_USERNAME, SMTP_PASSWORD

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "/home/XXX/vaultwarden/data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "/home/XXX/vaultwarden/data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**************",
  "domain_origin": "*****://**************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "/home/XXX/vaultwarden/data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": false,
  "ip_header": "X-Forwarded-For",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": false,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "/home/XXX/vaultwarden/data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "/home/XXX/vaultwarden/data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***********",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "*****************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "*******************",
  "templates_folder": "/home/XXX/vaultwarden/data/templates",
  "tmp_folder": "/home/XXX/vaultwarden/data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.34.3

Deployment method

Other method

Custom deployment method

using Vaultwarden via uberspace.de:
https://lab.uberspace.de/guide_vaultwarden/#vaultwarden

Reverse Proxy

Uberspace

Host/Server Operating System

Linux

Operating System Version

CentOS

Clients

Web Vault

Client Version

Issue is independent on client - does happen also via web-vault

Steps To Reproduce

1. Create an attachment within Bitwarden App for an vault entry
2. save it
3. it is uploaded to vault web
4. download is not possible

Expected Result

download is possible

Actual Result

giving an error message when downloading the attachment

Logs

Screenshots or Videos

No response

Additional Context

When I "enable" Admin Interface then I can download the attachments without any issues (via web vault or desktop app and so on).

When I "disable" Admin Interface the download is not possible and is giving me an error message.

As this is different than other issues correlated to attachments download I created a new issue. Hope this is ok.

Originally created by @pictosun on GitHub (Dec 4, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6525 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3 * Web-vault version: v2025.7.0 * OS/Arch: linux/x86_64 * Running within a container: false (Base: Not applicable) * Database type: SQLite * Database version: 3.50.3 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, ADMIN_TOKEN, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_USERNAME, SMTP_PASSWORD **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "/home/XXX/vaultwarden/data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "/home/XXX/vaultwarden/data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://**************", "domain_origin": "*****://**************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "/home/XXX/vaultwarden/data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": false, "ip_header": "X-Forwarded-For", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": false, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "/home/XXX/vaultwarden/data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "/home/XXX/vaultwarden/data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***********", "smtp_from_name": "Vaultwarden", "smtp_host": "*****************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "*******************", "templates_folder": "/home/XXX/vaultwarden/data/templates", "tmp_folder": "/home/XXX/vaultwarden/data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.34.3 ### Deployment method Other method ### Custom deployment method using Vaultwarden via uberspace.de: https://lab.uberspace.de/guide_vaultwarden/#vaultwarden ### Reverse Proxy Uberspace ### Host/Server Operating System Linux ### Operating System Version CentOS ### Clients Web Vault ### Client Version Issue is independent on client - does happen also via web-vault ### Steps To Reproduce 1. Create an attachment within Bitwarden App for an vault entry 2. save it 3. it is uploaded to vault web 4. download is not possible 5. ### Expected Result download is possible ### Actual Result giving an error message when downloading the attachment ### Logs ```text ``` ### Screenshots or Videos _No response_ ### Additional Context When I "enable" Admin Interface then I can download the attachments without any issues (via web vault or desktop app and so on). When I "disable" Admin Interface the download is not possible and is giving me an error message. As this is different than other issues correlated to attachments download I created a new issue. Hope this is ok.

kerem 2026-03-03 02:18:30 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-03-03 02:18:31 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Dec 4, 2025):

That sound highly impossible as the Vaultwarden Admin Backend has nothing to do with any API calls or attachment downloading.

Please provide Vaultwarden logs as requested.

<!-- gh-comment-id:3613721026 --> @BlackDex commented on GitHub (Dec 4, 2025): That sound highly impossible as the Vaultwarden Admin Backend has nothing to do with any API calls or attachment downloading. Please provide Vaultwarden logs as requested.

kerem commented 2026-03-03 02:18:31 +03:00

Author

Owner

Copy link

@pictosun commented on GitHub (Dec 5, 2025):

@BlackDex Where can I find those logs?

<!-- gh-comment-id:3615863975 --> @pictosun commented on GitHub (Dec 5, 2025): @BlackDex Where can I find those logs?

kerem commented 2026-03-03 02:18:31 +03:00

Author

Owner

Copy link

@pictosun commented on GitHub (Dec 5, 2025):

Short update:

• in my first setup I disabled the Admin Token within .env File and config.json via # (comment).
• now I tried to set a # mark before the Admin Token within .env file and "fully" deleted it within config.json and now the issue is gone. (everything is working again).

<!-- gh-comment-id:3615951008 --> @pictosun commented on GitHub (Dec 5, 2025): Short update: - in my first setup I disabled the Admin Token within .env File and config.json via # (comment). - now I tried to set a # mark before the Admin Token within .env file and "fully" deleted it within config.json and now the issue is gone. (everything is working again).

kerem commented 2026-03-03 02:18:32 +03:00

Author

Owner

Copy link

@stefan0xC commented on GitHub (Dec 5, 2025):

in my first setup I disabled the Admin Token within .env File and config.json via # (comment).

Then you probably had a syntax error in your config.json which made Vaultwarden (silently) ignore that file.

<!-- gh-comment-id:3615977350 --> @stefan0xC commented on GitHub (Dec 5, 2025): > in my first setup I disabled the Admin Token within .env File and config.json via # (comment). Then you probably had a syntax error in your `config.json` which made Vaultwarden (silently) ignore that file.

kerem commented 2026-03-03 02:18:32 +03:00

Author

Owner

Copy link

@pictosun commented on GitHub (Dec 5, 2025):

Thanks for your feedback. Looks like it was that kind of error. Overall what is the best way to lock/disable the Admin Interface when not needing it? Do I fully need to delete the admin token within config.json and .env file? Cannot find an real explanation within the WIKI.
I'm having both (.env and config.json).

<!-- gh-comment-id:3616031518 --> @pictosun commented on GitHub (Dec 5, 2025): Thanks for your feedback. Looks like it was that kind of error. Overall what is the best way to lock/disable the Admin Interface when not needing it? Do I fully need to delete the admin token within config.json and .env file? Cannot find an real explanation within the WIKI. I'm having both (.env and config.json).

kerem commented 2026-03-03 02:18:32 +03:00

Author

Owner

Copy link

@stefan0xC commented on GitHub (Dec 5, 2025):

You can disable the admin panel by clearing the value in the config.json because that takes precedence over the other methods

"admin_token": "",

<!-- gh-comment-id:3616087660 --> @stefan0xC commented on GitHub (Dec 5, 2025): You can disable the admin panel by clearing the value in the `config.json` because [that takes precedence ](https://github.com/dani-garcia/vaultwarden/wiki/Configuration-overview#configuration-precedence)over the other methods ```json "admin_token": "", ```

kerem commented 2026-03-03 02:18:32 +03:00

Author

Owner

Copy link

@pictosun commented on GitHub (Dec 5, 2025):

Thanks for the help. So it is ok, to leave the token active within .env file, or should I also delete it over there?

<!-- gh-comment-id:3617501305 --> @pictosun commented on GitHub (Dec 5, 2025): Thanks for the help. So it is ok, to leave the token active within `.env` file, or should I also delete it over there?

kerem commented 2026-03-03 02:18:32 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Dec 5, 2025):

But, the best way is to add an admin token, and if you really want to protect it a bit more is by adding some authentication in front of it via your reverse proxy maybe.

<!-- gh-comment-id:3617665601 --> @BlackDex commented on GitHub (Dec 5, 2025): But, the best way is to add an admin token, and if you really want to protect it a bit more is by adding some authentication in front of it via your reverse proxy maybe.

kerem commented 2026-03-03 02:18:32 +03:00

Author

Owner

Copy link

@pictosun commented on GitHub (Dec 6, 2025):

@BlackDex Don't understand your last comment. Can you make it a bit more clear.

What is the correct procedure to active/disable the admin web interface.

• delete admin token within .env and config.json
• comment out the admin token
• delete the token in only one of those files
• ....

<!-- gh-comment-id:3620059765 --> @pictosun commented on GitHub (Dec 6, 2025): @BlackDex Don't understand your last comment. Can you make it a bit more clear. What is the correct procedure to active/disable the admin web interface. - delete admin token within `.env` and `config.json` - comment out the admin token - delete the token in only one of those files - ....

kerem commented 2026-03-03 02:18:32 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Dec 6, 2025):

Always have the admin interface enabled, and add an extra auth option in-front of it via your reverse proxy.
I'm not sure how to make that more clear t.b.h.
Most reverse proxies allow some form of Basic Auth or other way of authentication to be needed for specific paths, like /admin You can always add that as an extra level of security.

Also, I would recommend to either use only a .env file or ENV's via some other form and not edit the config.json as you have seen your self it can easily break.

<!-- gh-comment-id:3620428850 --> @BlackDex commented on GitHub (Dec 6, 2025): Always have the admin interface enabled, and add an extra auth option in-front of it via your reverse proxy. I'm not sure how to make that more clear t.b.h. Most reverse proxies allow some form of Basic Auth or other way of authentication to be needed for specific paths, like `/admin` You can always add that as an extra level of security. Also, I would recommend to either use only a `.env` file or ENV's via some other form and not edit the `config.json` as you have seen your self it can easily break.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#2460

No description provided.