user sharing item to another collection that has "Hide Passwords" cannot read the password any more #1143

New Issue

Closed

opened 2026-02-05 00:06:41 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2026-02-05 00:06:41 +03:00

Owner

Copy Link

Originally created by @perkons on GitHub (Oct 29, 2021).

Subject of the issue

If a user is in 2 collections and one of them has the setting "Hide Passwords" set, all passwords that are in both collections will not be readable by the user, even if the user shares a login item from the collection with no "Hide Passwords" set.

Deployment environment

• vaultwarden version: 1.23.0

• Install method: vaultwarden/server:1.23.0-alpine in Kubernetes

• Clients used: web

• Reverse proxy and version: NA

• MySQL/MariaDB or PostgreSQL version: postgresql13-server-13.4 with Patroni HA (2 hosts Oraclelinux 8)

• Other relevant details: NA

Steps to reproduce

Lets say we have:

organiztaions: org1
collections: team1, team2, team3
users: user1, user2, user3, ...
login items in team1: linux1, linux2
login items in team2: windows1, windows2
login items in team3: router1, router2
collection access user1 (owner): all
collection access user2 (user): team2
collection access user3 (user): team3

Lets say user2 (or any other user from team2) wants to add login item windows1 to collection team3. user1 adds user2 to team3 with the option "Hide Passwords" so that user2 could not see the passwords for team3. user2 adds windows1 to collection team3. windows1 now is visible in two collections team2 and team3.

Expected behaviour

user2 can still read the passowrd from item windows1. user2 has no permissions to remove any items from team3. user2 has no permissions to add any items from team3 to team2 (passwords for items added from team3 to team2 are not readable).

Actual behaviour

user2 cannot view the password of windows1 any more, it is grayed out (user2 can remove windows1 from team3 and the password becomes visible again) user2 can also now add any other item from team3 to team2 and remove any item from team3. The passwords will not be possible to read, but user3 (or other users from team3) would not see any items in team3 any more.

Troubleshooting data

Used the web client with multiple users to test.

Originally created by @perkons on GitHub (Oct 29, 2021). <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue <!-- Describe your issue here. --> If a user is in 2 collections and one of them has the setting "Hide Passwords" set, all passwords that are in both collections will not be readable by the user, even if the user shares a login item from the collection with no "Hide Passwords" set. ### Deployment environment <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> <!-- Remember to check if your issue exists on the latest version first! --> * vaultwarden version: 1.23.0 <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: vaultwarden/server:1.23.0-alpine in Kubernetes * Clients used: <!-- web vault, desktop, Android, iOS, etc. (if applicable) --> web * Reverse proxy and version: <!-- if applicable --> NA * MySQL/MariaDB or PostgreSQL version: <!-- if applicable --> postgresql13-server-13.4 with Patroni HA (2 hosts Oraclelinux 8) * Other relevant details: NA ### Steps to reproduce Lets say we have: organiztaions: org1 collections: team1, team2, team3 users: user1, user2, user3, ... login items in team1: linux1, linux2 login items in team2: windows1, windows2 login items in team3: router1, router2 collection access user1 (owner): all collection access user2 (user): team2 collection access user3 (user): team3 Lets say user2 (or any other user from team2) wants to add login item windows1 to collection team3. user1 adds user2 to team3 with the option "Hide Passwords" so that user2 could not see the passwords for team3. user2 adds windows1 to collection team3. windows1 now is visible in two collections team2 and team3. ### Expected behaviour user2 can still read the passowrd from item windows1. user2 has no permissions to remove any items from team3. user2 has no permissions to add any items from team3 to team2 (passwords for items added from team3 to team2 are not readable). ### Actual behaviour user2 cannot view the password of windows1 any more, it is grayed out (user2 can remove windows1 from team3 and the password becomes visible again) user2 can also now add any other item from team3 to team2 and remove any item from team3. The passwords will not be possible to read, but user3 (or other users from team3) would not see any items in team3 any more. ### Troubleshooting data <!-- Share any log files, screenshots, or other relevant troubleshooting data --> Used the web client with multiple users to test.

OVERLORD added the bug label 2026-02-05 00:06:41 +03:00

OVERLORD closed this issue 2026-02-05 00:06:42 +03:00

OVERLORD referenced this issue 2026-02-05 05:01:13 +03:00

[PR #1143] [MERGED] Format some common Lettre errors a bit simpler #2864

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1143