Bitwarden Send access limitation allows too many access attempts. #1439

New Issue

Closed

opened 2025-10-09 17:15:19 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2025-10-09 17:15:19 +03:00

Owner

Copy Link

Originally created by @drownthewitch on GitHub.

Subject of the issue

The current testing version of the Bitwarden_rs server seems to allow N+1 access attempts to a shared Bitwarden Send resource, when N are configured.

For example, when 1 allowed access attempt is configured, 2 visits are allowed before the published Send resource is disabled, when 2 are configured, 3 are allowed, etc.

Deployment environment

Your environment (Generated via diagnostics page)

• Bitwarden_rs version: v1.19.0-7436b454
• Web-vault version: v2.19.0
• Running within Docker: true
• Internet access: true
• Uses a proxy: false
• DNS Check: true
• Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": false,
  "_enable_yubico": true,
  "_ip_header_enabled": true,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*****.***********.***/",
  "domain_origin": "*****://*****.***********.***",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "invitation_org_name": "*****",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "sends_folder": "data/sends",
  "show_password_hint": true,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "",
  "smtp_from_name": "Bitwarden_RS",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

• bitwarden_rs version: 1.19.0-7436b454

• Install method: Docker image

• Clients used: Firefox plugin, Web vault

• Reverse proxy and version:

• MySQL/MariaDB or PostgreSQL version:

• Other relevant details:

Steps to reproduce

1. Create a Bitwarden Send text share and set it for 2 allowed access attempts.
2. Access the link up to 3 times and notice all attempts succeed.
3. Notice a 4th access attempt does fail.

Expected behaviour

• The link should expire after the amount of access attempts configured.

Actual behaviour

• The link only expires after N+1 access attempts have been made.

Troubleshooting data

Originally created by @drownthewitch on GitHub. <!-- # ### NOTE: Please update to the latest version of bitwarden_rs before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/bitwarden_rs/issues/1180 * https://github.com/dani-garcia/bitwarden_rs/wiki/Updating-the-bitwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue <!-- Describe your issue here. --> The current testing version of the Bitwarden_rs server seems to allow N+1 access attempts to a shared Bitwarden Send resource, when N are configured. For example, when 1 allowed access attempt is configured, 2 visits are allowed before the published Send resource is disabled, when 2 are configured, 3 are allowed, etc. ### Deployment environment <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> ### Your environment (Generated via diagnostics page) * Bitwarden_rs version: v1.19.0-7436b454 * Web-vault version: v2.19.0 * Running within Docker: true * Internet access: true * Uses a proxy: false * DNS Check: true * Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": false, "_enable_yubico": true, "_ip_header_enabled": true, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_max_conns": 10, "database_url": "****/**.*******", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*****.***********.***/", "domain_origin": "*****://*****.***********.***", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "enable_db_wal": true, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "invitation_org_name": "*****", "invitations_allowed": false, "ip_header": "X-Real-IP", "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "org_attachment_limit": null, "org_creation_users": "", "password_iterations": 100000, "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "sends_folder": "data/sends", "show_password_hint": true, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_explicit_tls": false, "smtp_from": "", "smtp_from_name": "Bitwarden_RS", "smtp_host": null, "smtp_password": null, "smtp_port": 587, "smtp_ssl": true, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from bitwarden_rs --> <!-- Remember to check if your issue exists on the latest version first! --> * bitwarden_rs version: 1.19.0-7436b454 <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: Docker image * Clients used: <!-- web vault, desktop, Android, iOS, etc. (if applicable) -->Firefox plugin, Web vault * Reverse proxy and version: <!-- if applicable --> * MySQL/MariaDB or PostgreSQL version: <!-- if applicable --> * Other relevant details: ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start bitwarden_rs? --> 1. Create a Bitwarden Send text share and set it for 2 allowed access attempts. 2. Access the link up to 3 times and notice all attempts succeed. 3. Notice a 4th access attempt does fail. ### Expected behaviour <!-- Tell us what you expected to happen --> - The link should expire after the amount of access attempts configured. ### Actual behaviour <!-- Tell us what actually happened --> - The link only expires after N+1 access attempts have been made. ### Troubleshooting data <!-- Share any log files, screenshots, or other relevant troubleshooting data -->

OVERLORD added the buggood first issue labels 2025-10-09 17:15:19 +03:00

OVERLORD closed this issue 2025-10-09 17:15:20 +03:00

OVERLORD commented 2025-10-09 17:15:22 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

This has been fixed already: https://github.com/dani-garcia/bitwarden_rs/pull/1487

Thanks for reporting with all the details.

@BlackDex commented on GitHub: This has been fixed already: https://github.com/dani-garcia/bitwarden_rs/pull/1487 Thanks for reporting with all the details.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label bug good first issue

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1439