[GH-ISSUE #1218] Users are affected by organization policies from orgs they are not in #862

New issue

Closed

opened 2026-03-03 02:04:07 +03:00 by kerem · 1 comment

kerem commented

2026-03-03 02:04:07 +03:00

Owner

Originally created by @aveao on GitHub (Nov 7, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1218

Subject of the issue

Organization policies are (incorrectly) applied to users that are not part of them

Your environment

Bitwarden_rs version:
Server Installed Ok
1.17.0
Server Latest
1.17.0
Web Installed Ok
2.16.1
Web Latest
2.16.1
Install method: Docker
Clients used: Web and Browser
Other relevant information: None

Steps to reproduce

Create two users, user A and B
Have user A create an org A
Have user A place an org policy on org A
Notice that user B also has these policies applied:

Expected behaviour

Only user A (and other members of this organization) should have these policies

Actual behaviour

All users are affected by these policies

Relevant logs

Originally created by @aveao on GitHub (Nov 7, 2020). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/1218 ### Subject of the issue Organization policies are (incorrectly) applied to users that are not part of them ### Your environment * Bitwarden_rs version: Server Installed Ok 1.17.0 Server Latest 1.17.0 Web Installed Ok 2.16.1 Web Latest 2.16.1 * Install method: Docker * Clients used: Web and Browser * Other relevant information: None ### Steps to reproduce - Create two users, user A and B - Have user A create an org A - Have user A place an org policy on org A - Notice that user B also has these policies applied: ### Expected behaviour Only user A (and other members of this organization) should have these policies ### Actual behaviour All users are affected by these policies ### Relevant logs ![](https://elixi.re/i/e5o837no.png) ![](https://elixi.re/i/5ns2qx8n.png) ![](https://elixi.re/i/jty0wuf5.png) ![](https://elixi.re/i/i9nr4vxv.png) ![](https://elixi.re/i/mnhtgzj9.png)

kerem closed this issue

2026-03-03 02:04:07 +03:00

kerem commented

2026-03-03 02:04:09 +03:00

Author

Owner

@aveao commented on GitHub (Nov 7, 2020):

We've both verified this on a test instance and had this be done to our public instance by a rogue-seeming user. We are unable to delete the rogue organization and user directly through bitwarden_rs due to #936.

@aveao commented on GitHub (Nov 7, 2020): We've both verified this on a test instance and had this be done to our public instance by a rogue-seeming user. We are unable to delete the rogue organization and user directly through bitwarden_rs due to #936.