Missing authentication for the /icons/ endpoint #1261

New Issue

Closed

opened 2025-10-09 17:09:19 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2025-10-09 17:09:19 +03:00

Owner

Copy Link

Originally created by @l4rm4nd on GitHub.

Subject of the issue

I would assume that the /icons endpoint of vaultwarden also requires user authentication. Currently, any external user is able to query the endpoint and identify valid icons without being authenticated to the webvault. This may allow someone to enumerate vault url entries or sites that have been stored. One can disable the icon download, but it is kinda handy as for visual aspects.

I don't know whether this is an issue at all. Not a security one from my perspective, but might introduce some privacy concerns if remote people can enumerate whether a vault has some adult or illegal sites stored. What do you think?

Deployment environment

Vaultwarden runs as Docker container on my RPi4 (ARM). Deployed within portainer and compose file. Exposed via an nginx reverse proxy.

• vaultwarden version: Version 1.23.0

• Install method: Portainer Docker Compose

• Clients used: Any client with access to the web vault (http protocol)

Steps to reproduce

Browse your webvault and try an icon path like /icons/www.google.de/icon.png. Choose a domain or url that you know is stored within the vault. If the icon successfully loads, the vault has likely stored that url and downloaded the icon of the website. If a blank icon occurs, the url might not be stored, does not have an icon or the icon download feature has been disabled.

Expected behaviour

The web vault should redirect to the login area and require authentication to display the icons.

Actual behaviour

The web vault responds with the requested image icon if available or defaults to a blank icon. No authentication required.

Originally created by @l4rm4nd on GitHub. ### Subject of the issue I would assume that the /icons endpoint of vaultwarden also requires user authentication. Currently, any external user is able to query the endpoint and identify valid icons without being authenticated to the webvault. This may allow someone to enumerate vault url entries or sites that have been stored. One can disable the icon download, but it is kinda handy as for visual aspects. I don't know whether this is an issue at all. Not a security one from my perspective, but might introduce some privacy concerns if remote people can enumerate whether a vault has some adult or illegal sites stored. What do you think? ### Deployment environment Vaultwarden runs as Docker container on my RPi4 (ARM). Deployed within portainer and compose file. Exposed via an nginx reverse proxy. * vaultwarden version: Version 1.23.0 * Install method: Portainer Docker Compose * Clients used: Any client with access to the web vault (http protocol) ### Steps to reproduce Browse your webvault and try an icon path like ``/icons/www.google.de/icon.png``. Choose a domain or url that you know is stored within the vault. If the icon successfully loads, the vault has likely stored that url and downloaded the icon of the website. If a blank icon occurs, the url might not be stored, does not have an icon or the icon download feature has been disabled. ### Expected behaviour The web vault should redirect to the login area and require authentication to display the icons. ### Actual behaviour The web vault responds with the requested image icon if available or defaults to a blank icon. No authentication required.

OVERLORD closed this issue 2025-10-09 17:09:19 +03:00

OVERLORD commented 2025-10-09 17:09:21 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

Your described expected behavior is not the way it works.
All clients do not send authentication to the server to fetch these icons and thus we can't use that.

Unless something is going to change on the client side we can't redirect or put any authenticating on this at the server side.

There is no easy solution to block access to the icon endpoint for authenticated clients only.

@BlackDex commented on GitHub: Your described expected behavior is not the way it works. All clients do not send authentication to the server to fetch these icons and thus we can't use that. Unless something is going to change on the client side we can't redirect or put any authenticating on this at the server side. There is no easy solution to block access to the icon endpoint for authenticated clients only.

OVERLORD referenced this issue 2025-10-09 18:23:56 +03:00

[PR #1261] [CLOSED] rustfmt #3467

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1261