[GH-ISSUE #691] With SIGNUPS_ALLOWED set Create user form can expose existing users email #467

New issue

Closed

opened 2026-03-03 01:29:37 +03:00 by kerem · 3 comments

kerem commented

2026-03-03 01:29:37 +03:00

Owner

Originally created by @danmed on GitHub (Oct 29, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/691

I have the latest bitwarden mysql docker image from dockerhub running. Everything is working great but when i went to test if the create accounts had been disabled, it auto filled my email address in..

When i hit submit it told me the user already existed.. Seems to be that it shouldn't even be checking against the database in order to reveal that the email address i had entered existed..

I know no one else would autofill using my email address, but it does leave it open to atleast telling an attacker that an account exists

Originally created by @danmed on GitHub (Oct 29, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/691 I have the latest bitwarden mysql docker image from dockerhub running. Everything is working great but when i went to test if the create accounts had been disabled, it auto filled my email address in.. When i hit submit it told me the user already existed.. Seems to be that it shouldn't even be checking against the database in order to reveal that the email address i had entered existed.. I know no one else would autofill using my email address, but it does leave it open to atleast telling an attacker that an account exists

kerem closed this issue

2026-03-03 01:29:37 +03:00

kerem commented

2026-03-03 01:29:38 +03:00

Author

Owner

@BlackDex commented on GitHub (Oct 29, 2019):

The autofill is probably something of you own browser.
This doesn't magically get extracted from the database and guessed for the person who want's to login.

It only gets pre-filled when using the link from the e-mail sent if you have an invite e-mail.

About the "user already exists" message, there is no way to not show that message if someone want's to register. You can't report a random error, and the web-interface needs to know it can continue with the signup process.

So, i'm not sure if this can be fixed or not. from the server side.

@BlackDex commented on GitHub (Oct 29, 2019): The autofill is probably something of you own browser. This doesn't magically get extracted from the database and guessed for the person who want's to login. It only gets pre-filled when using the link from the e-mail sent if you have an invite e-mail. About the "user already exists" message, there is no way to not show that message if someone want's to register. You can't report a random error, and the web-interface needs to know it can continue with the signup process. So, i'm not sure if this can be fixed or not. from the server side.

kerem commented

2026-03-03 01:29:38 +03:00

Author

Owner

@danmed commented on GitHub (Oct 29, 2019):

I'm aware that the box was filled in from my browser, that's not the issue.. the issue i'm trying to point out is that half the problem for an attacker to guess the username.. there's basically a feature there telling them they've hit a good account.

If i've got registrations turned off, then the button to create an account shouldn't even exist.. let alone confirm there is an account with that name being used already.

@danmed commented on GitHub (Oct 29, 2019): I'm aware that the box was filled in from my browser, that's not the issue.. the issue i'm trying to point out is that half the problem for an attacker to guess the username.. there's basically a feature there telling them they've hit a good account. If i've got registrations turned off, then the button to create an account shouldn't even exist.. let alone confirm there is an account with that name being used already.

kerem commented

2026-03-03 01:29:38 +03:00

Author

Owner

@mprasil commented on GitHub (Nov 1, 2019):

That's good point. I've created PR to fix that.

@mprasil commented on GitHub (Nov 1, 2019): That's good point. I've created PR to fix that.