starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-25 17:25:57 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #515] Admin page is available even without ADMIN_TOKEN #323

New issue
Closed
opened 2026-03-03 01:27:59 +03:00 by kerem · 4 comments
kerem commented 2026-03-03 01:27:59 +03:00
Owner
Copy link

Originally created by @poblabs on GitHub (Jun 27, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/515

I admit I'm a bit new to bitwarden_rs, so I'm still trying to figure it out. I'm running this in a docker container on my Synology and it's working great.

I do not have the ADMIN_TOKEN, nor DISABLE_ADMIN_TOKEN environment variables specified, yet /admin is available to me without authentication.

Anything I'm missing? I would assume that page would be disabled if I wasn't explicitly defining something with those environment variables.

Here's the version from the header of the admin page: Version: 1.9.1-3fb63bbe

Originally created by @poblabs on GitHub (Jun 27, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/515 I admit I'm a bit new to bitwarden_rs, so I'm still trying to figure it out. I'm running this in a docker container on my Synology and it's working great. I **do not** have the `ADMIN_TOKEN`, nor `DISABLE_ADMIN_TOKEN` environment variables specified, yet `/admin` is available to me without authentication. Anything I'm missing? I would assume that page would be disabled if I wasn't explicitly defining something with those environment variables. Here's the version from the header of the admin page: `Version: 1.9.1-3fb63bbe`
kerem 2026-03-03 01:27:59 +03:00
kerem commented 2026-03-03 01:28:00 +03:00
Author
Owner
Copy link

@mprasil commented on GitHub (Jun 27, 2019):

which docker image are you using - based on the version hash, it seems to be the latest version of bitwardenrs/server, is that right? Can you describe steps to reproduce it?

Have you at any stage set the admin token via the admin interface? These settings are saved into a configuration file, so your ADMIN_TOKEN can be still set there even if you removed the environment variable.

<!-- gh-comment-id:506430457 --> @mprasil commented on GitHub (Jun 27, 2019): which docker image are you using - based on the version hash, it seems to be the latest version of `bitwardenrs/server`, is that right? Can you describe steps to reproduce it? Have you at any stage set the admin token via the admin interface? These settings are saved into a configuration file, so your ADMIN_TOKEN can be still set there even if you removed the environment variable.
kerem commented 2026-03-03 01:28:00 +03:00
Author
Owner
Copy link

@poblabs commented on GitHub (Jun 27, 2019):

which docker image are you using - based on the version hash, it seems to be the latest version of bitwardenrs/server, is that right?

That's right. I downloaded it last night. The version hash looks like your latest server commit hash.

Can you describe steps to reproduce it?

I installed the image, started a container, and was able to browse to http://<IP>/admin without any challenge. No variables are defined which would enable the admin page (according to the wiki docs).

EDIT: After answering the questions below, perhaps the variables are cached/saved.

Have you at any stage set the admin token via the admin interface?

Yes, I set it once to test it out. Ran into some issues, so I stopped the container, removed the variable, restarted the container. So this makes sense - however if the variable is saved in a cache file, I question why I'm not being challenged?

Note: I also did set DISABLE_ADMIN_TOKEN as well at one point - but I have since removed it. Where I feel I should be right now is with a disabled admin page.

Where are these variables cached? I'll be curious to try and find/remove them and see how it goes.

<!-- gh-comment-id:506433019 --> @poblabs commented on GitHub (Jun 27, 2019): > which docker image are you using - based on the version hash, it seems to be the latest version of bitwardenrs/server, is that right? That's right. I downloaded it last night. The version hash looks like your latest server commit hash. > Can you describe steps to reproduce it? ~~I installed the image, started a container, and was able to browse to `http://<IP>/admin` without any challenge. No variables are defined which would enable the admin page (according to the wiki docs).~~ **EDIT**: After answering the questions below, perhaps the variables are cached/saved. > Have you at any stage set the admin token via the admin interface? Yes, I set it once to test it out. Ran into some issues, so I stopped the container, removed the variable, restarted the container. So this makes sense - however if the variable is saved in a cache file, I question why I'm not being challenged? Note: I also did set `DISABLE_ADMIN_TOKEN` as well at one point - but I have since removed it. Where I feel I should be right now is with a disabled admin page. Where are these variables cached? I'll be curious to try and find/remove them and see how it goes.
kerem commented 2026-03-03 01:28:00 +03:00
Author
Owner
Copy link

@mprasil commented on GitHub (Jun 28, 2019):

The settings done in the admin interface are by default stored in the data folder into config.json file. They do override any environment variable settings, so if there's something there, removing ADMIN_TOKEN won't do anything really.

<!-- gh-comment-id:506722321 --> @mprasil commented on GitHub (Jun 28, 2019): The settings done in the admin interface are by default stored in the data folder into `config.json` file. They do override any environment variable settings, so if there's something there, removing `ADMIN_TOKEN` won't do anything really.
kerem commented 2026-03-03 01:28:00 +03:00
Author
Owner
Copy link

@poblabs commented on GitHub (Jun 28, 2019):

Ok, thanks. In my config.json I see "disable_admin_token": true,. Setting this to false disabled the admin page. I guess I'm all set. Thanks for the insight.

<!-- gh-comment-id:506738905 --> @poblabs commented on GitHub (Jun 28, 2019): Ok, thanks. In my config.json I see ` "disable_admin_token": true,`. Setting this to false disabled the admin page. I guess I'm all set. Thanks for the insight.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#323
No description provided.