There are loopholes in the Vaultwarden versin 1.28.1 #1629

New Issue

Closed

opened 2026-02-05 01:22:38 +03:00 by OVERLORD · 3 comments

OVERLORD commented 2026-02-05 01:22:38 +03:00

Owner

Copy Link

Originally created by @hzpurewater on GitHub (Jul 5, 2023).

Using vulnerability scanning tools to scan Vaultwarden version 1.28.1, many bugs were found。I hope it can be resolved as soon as possible。
The detailed vulnerabilities are as follows:

Originally created by @hzpurewater on GitHub (Jul 5, 2023). Using vulnerability scanning tools to scan Vaultwarden version 1.28.1, many bugs were found。I hope it can be resolved as soon as possible。 The detailed vulnerabilities are as follows: 

OVERLORD closed this issue 2026-02-05 01:22:39 +03:00

OVERLORD commented 2026-02-05 01:22:46 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jul 5, 2023):

I'm not seeing bugs linked to Vaultwarden.
What did you used to scan? And what did you scan?

@BlackDex commented on GitHub (Jul 5, 2023): I'm not seeing bugs linked to Vaultwarden. What did you used to scan? And what did you scan?

OVERLORD commented 2026-02-05 01:22:48 +03:00

Author

Owner

Copy Link

@RuneNyhuus commented on GitHub (Jul 5, 2023):

Have this issue been fixed?
https://labs.hakaioffsec.com/nginx-alias-traversal/

I think i just lost my vault to an hacker, and they prop. used this method?

@RuneNyhuus commented on GitHub (Jul 5, 2023): Have this issue been fixed? https://labs.hakaioffsec.com/nginx-alias-traversal/ I think i just lost my vault to an hacker, and they prop. used this method?

OVERLORD commented 2026-02-05 01:22:50 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jul 5, 2023):

Vaultwarden doesn't use nginx it self, so thats not vulnerable via that way. Also, Vaultwarden it self is not vulnerable to traversal.

I also do not see how a hacker would have stole your vault. If, then they would have had your credentials.

@BlackDex commented on GitHub (Jul 5, 2023): Vaultwarden doesn't use nginx it self, so thats not vulnerable via that way. Also, Vaultwarden it self is not vulnerable to traversal. I also do not see how a hacker would have stole your vault. If, then they would have had your credentials.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1629