Trashbin shows entries from other orgs #124

New Issue

OVERLORD · 2025-10-09T16:14:59+03:00

OVERLORD commented

2025-10-09 16:14:59 +03:00

Originally created by @senpro-ingwersenk on GitHub.

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.33.2
Web-vault version: v2025.1.1
OS/Arch: linux/x86_64
Running within a container: true (Base: Alpine)
Database type: PostgreSQL
Database version: PostgreSQL 15.13 on x86_64-pc-linux-musl, compiled by gcc (Alpine 14.2.0) 14.2.0, 64-bit
Environment settings overridden!: true
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: n/a
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, HIBP_API_KEY, SIGNUPS_ALLOWED, ADMIN_TOKEN, IP_HEADER, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD, SMTP_ACCEPT_INVALID_CERTS, SMTP_ACCEPT_INVALID_HOSTNAMES

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "**********://*******************************************************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*********************",
  "domain_origin": "*****://*********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "ssh-key-vault-item, ssh-agent",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": "***",
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": true,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*****************",
  "smtp_from_name": "Vaultwarden from senpro.it",
  "smtp_host": "******************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "*****************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.33.2

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Traefik via k3s 1.32.1

Host/Server Operating System

Linux

Operating System Version

NixOS 24.11

Clients

Web Vault

Client Version

Diverse

Steps To Reproduce

Go to any organization
Open the recycle/trash bin

Expected Result

Only entries belonging to this organization should be visible.

Actual Result

An absolute lot of entries from many, many other organizations are visible. The org itself only has ~27 entries - the bin has...a whole lot more (I didn't dare counting, and couldn't figure out how to do so using the database)

Logs

Just access logs, as far as I can tell.

Screenshots or Videos

This screenshot was taken in an org with only the mentioned 20ish records:

And this one was taken in one that had many, many more:

Since those include the names of our customers in full, I blacked them in Paint. However, neither of them should see any of those entries whatsoever, at all, ever.

Additional Context

We were trying to find a way to improve the performance of our clients (Extension, Desktop) by clearing out the bins and were under the belief that each org had it's own bin. But whilst my collegue was cleaning, he noticed that some orgs showed more or less entries, and eventually he saw that many of those entries were in fact shared, where they shouldn't be.

Further, we were just considering to let our customers access their own credentials in the org associated to them - and now we are worried that they would've seen others' deleted entries.

To gather further information, I went into psql and \d'd my way around the scheme to figure out where the flag was for deleted records to see how exactly they were handled - but, I didn't find it, possibly and most likely overlooked it no less.

Since I am not entirely sure if this is a bug or not, I decided to post it as a ticket. Because if it is, it's perhaps a problem.

Thank you and kind regards!

Originally created by @senpro-ingwersenk on GitHub. ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.33.2 * Web-vault version: v2025.1.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Alpine) * Database type: PostgreSQL * Database version: PostgreSQL 15.13 on x86_64-pc-linux-musl, compiled by gcc (Alpine 14.2.0) 14.2.0, 64-bit * Environment settings overridden!: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: n/a * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, HIBP_API_KEY, SIGNUPS_ALLOWED, ADMIN_TOKEN, IP_HEADER, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD, SMTP_ACCEPT_INVALID_CERTS, SMTP_ACCEPT_INVALID_HOSTNAMES **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "**********://*******************************************************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*********************", "domain_origin": "*****://*********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "ssh-key-vault-item, ssh-agent", "extended_logging": true, "helo_name": null, "hibp_api_key": "***", "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": true, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*****************", "smtp_from_name": "Vaultwarden from senpro.it", "smtp_host": "******************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "*****************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.33.2 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy Traefik via k3s 1.32.1 ### Host/Server Operating System Linux ### Operating System Version NixOS 24.11 ### Clients Web Vault ### Client Version Diverse ### Steps To Reproduce 1. Go to any organization 2. Open the recycle/trash bin ### Expected Result Only entries belonging to this organization should be visible. ### Actual Result An absolute _lot_ of entries from many, many other organizations are visible. The org itself only has ~27 entries - the bin has...a whole lot more (I didn't dare counting, and couldn't figure out how to do so using the database) ### Logs ```text Just access logs, as far as I can tell. ``` ### Screenshots or Videos This screenshot was taken in an org with only the mentioned 20ish records: ![Image](https://github.com/user-attachments/assets/0733fdde-2d40-4866-b60c-4f1ce52a7506) And this one was taken in one that had many, many more: ![Image](https://github.com/user-attachments/assets/bf9a5a7c-6685-4add-969b-16d4b86dfc4e) Since those include the names of our customers in full, I blacked them in Paint. However, **neither** of them should see any of those entries whatsoever, at all, ever. ### Additional Context We were trying to find a way to improve the performance of our clients (Extension, Desktop) by clearing out the bins and were under the belief that each org had it's own bin. But whilst my collegue was cleaning, he noticed that some orgs showed more or less entries, and eventually he saw that many of those entries were in fact shared, where they shouldn't be. Further, we were just considering to let our customers access their own credentials in the org associated to them - and now we are worried that they would've seen others' deleted entries. To gather further information, I went into `psql` and `\d`'d my way around the scheme to figure out where the flag was for deleted records to see how exactly they were handled - but, I didn't find it, possibly and most likely overlooked it no less. Since I am not entirely sure if this _is_ a bug or not, I decided to post it as a ticket. Because if it is, it's perhaps a problem. Thank you and kind regards!

OVERLORD added the bug label 2025-10-09 16:14:59 +03:00

OVERLORD closed this issue

2025-10-09 16:14:59 +03:00

OVERLORD referenced this issue

2025-10-09 18:01:29 +03:00

U2F not working with krypt.co provider #2360

OVERLORD referenced this issue

2025-10-09 18:02:09 +03:00

Test with the new Vault v2.0 Public Preview #2368

OVERLORD referenced this issue

2025-10-09 18:31:33 +03:00

[PR #129] [MERGED] Implemented PUT for /two-factor/authenticator and /two-factor/disable #124 #3859