Warm users about access key leakage in access logs #1931

New Issue

Closed

opened 2026-02-05 02:16:10 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2026-02-05 02:16:10 +03:00

Owner

Copy Link

Originally created by @rwjack on GitHub (Jun 7, 2024).

Not really a bug, but I think the docs should provide info about this: https://github.com/bitwarden/clients/issues/4290

I just saw that from v1.29.0, WSS is enabled by default, which means all access tokens and encrypted data is being stored in plaintext in reverse proxy access logs, unless the proxy is configured to filter out such requests.

Originally created by @rwjack on GitHub (Jun 7, 2024). Not really a bug, but I think the docs should provide info about this: https://github.com/bitwarden/clients/issues/4290 I just saw that from v1.29.0, WSS is enabled by default, which means all access tokens and encrypted data is being stored in plaintext in reverse proxy access logs, unless the proxy is configured to filter out such requests.

OVERLORD closed this issue 2026-02-05 02:16:13 +03:00

OVERLORD commented 2026-02-05 02:16:17 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jun 8, 2024):

Which documentation are you referring to? If it is the wiki, then go ahead and add this warning 😄.

Also, i do hope that your reverse proxy can't decrypt the encrypted data and stores that unencrypted somewhere. Not sure what you mean with that specific part. All data is encrypted by the clients and send encrypted over the wire. Those values are never added as GET parameters and thus should not end up in your logs.

@BlackDex commented on GitHub (Jun 8, 2024): Which documentation are you referring to? If it is the wiki, then go ahead and add this warning 😄. Also, i do hope that your reverse proxy can't decrypt the encrypted data and stores that unencrypted somewhere. Not sure what you mean with that specific part. All data is encrypted by the clients and send encrypted over the wire. Those values are never added as GET parameters and thus should not end up in your logs.

OVERLORD commented 2026-02-05 02:16:21 +03:00

Author

Owner

Copy Link

@rwjack commented on GitHub (Jun 9, 2024):

I cannot confirm what data is being sent, but something is definitely being sent as a GET request, so some parameters get saved in the access logs.

Here's an example:

/notifications/hub?access_token=[this part is always the same].eyJuYmYi[redacted]sImV4cCI6MTcxNzc1NzQ1OCwiaXN[redacted]M6Ly92YXVsdC5zZWMuYXJwYXxsb2dpbiIsInN1YiI6ImY5YmVhN[redacted]tNGJjNS05MDY2LTQ3NjFlZmY4ND[redacted]sInByZW1pdW0iOnRydWU[redacted]JjaXBoZXIiLCJlbWFpbCI6ImNpc[redacted]ljdSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJzc3RhbXAiOiJlZjM3[redacted]MjctODE2OS1hZTQ3NmFjNDc4MGQiLCJkZX[redacted]02ZTk3LTQ2N2M[redacted]jM3NmEiLCJzY29wZSI6WyJhcG[redacted]5lX2FjY2VzcyJdLCJhbXIiOlsiQXBwbGljY[redacted]hGDeCNdjTs1cOL2fV_OR96Sey-gA5eRa8OCGNgCrDeyYAPyk[redacted]BkQGwjEhD7fcWILxRYqQ7W6rkC2o[redacted]LB_nztpAgeRUbsPgsd3RNTWJDKdlH8aMf1[redacted]vB_doENJPeyaeMuEG85KqpAN2A[redacted]GeeCztxmQIe21PMtBG-SAgGeI[redacted]X_9mmyv0nISHBuHjhQ_km[redacted]VCLoFneb-MEzN[redacted]T8VcXSKhGXpwJUx8j1[redacted]k_nH27vrD2Dg

@rwjack commented on GitHub (Jun 9, 2024): I cannot confirm what data is being sent, but something is definitely being sent as a GET request, so some parameters get saved in the access logs. Here's an example: ``` /notifications/hub?access_token=[this part is always the same].eyJuYmYi[redacted]sImV4cCI6MTcxNzc1NzQ1OCwiaXN[redacted]M6Ly92YXVsdC5zZWMuYXJwYXxsb2dpbiIsInN1YiI6ImY5YmVhN[redacted]tNGJjNS05MDY2LTQ3NjFlZmY4ND[redacted]sInByZW1pdW0iOnRydWU[redacted]JjaXBoZXIiLCJlbWFpbCI6ImNpc[redacted]ljdSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJzc3RhbXAiOiJlZjM3[redacted]MjctODE2OS1hZTQ3NmFjNDc4MGQiLCJkZX[redacted]02ZTk3LTQ2N2M[redacted]jM3NmEiLCJzY29wZSI6WyJhcG[redacted]5lX2FjY2VzcyJdLCJhbXIiOlsiQXBwbGljY[redacted]hGDeCNdjTs1cOL2fV_OR96Sey-gA5eRa8OCGNgCrDeyYAPyk[redacted]BkQGwjEhD7fcWILxRYqQ7W6rkC2o[redacted]LB_nztpAgeRUbsPgsd3RNTWJDKdlH8aMf1[redacted]vB_doENJPeyaeMuEG85KqpAN2A[redacted]GeeCztxmQIe21PMtBG-SAgGeI[redacted]X_9mmyv0nISHBuHjhQ_km[redacted]VCLoFneb-MEzN[redacted]T8VcXSKhGXpwJUx8j1[redacted]k_nH27vrD2Dg ```

OVERLORD commented 2026-02-05 02:16:27 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jun 9, 2024):

As mentioned, that is only the JWT for the websocket connection indeed. But no other data is ever send via that way, thus no other data, encrypted or unencrypted is ever send over the wire as a GET request.

Only uuid's and are send as part the the path, and maybe timestamps, but that is about it.

Unfortunately there is no other way for the websockets, as the clients do not seem to support any other way then via get parameters.

Also, if some has access to your JWT, that doesn't make them able to decrypt your passwords. So, there isn't any real risk here.

And, the person who has access to those logs can then probably also make adjustments to your reverse proxy and manipulate the web-vault in such a way that it might leak your password, so that would be more of a risk then leaking the JWT I think.

@BlackDex commented on GitHub (Jun 9, 2024): As mentioned, that is only the JWT for the websocket connection indeed. But no other data is ever send via that way, thus no other data, encrypted or unencrypted is ever send over the wire as a GET request. Only uuid's and are send as part the the path, and maybe timestamps, but that is about it. Unfortunately there is no other way for the websockets, as the clients do not seem to support any other way then via get parameters. Also, if some has access to your JWT, that doesn't make them able to decrypt your passwords. So, there isn't any real risk here. And, the person who has access to those logs can then probably also make adjustments to your reverse proxy and manipulate the web-vault in such a way that it might leak your password, so that would be more of a risk then leaking the JWT I think.

OVERLORD commented 2026-02-05 02:16:30 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jun 9, 2024):

Also, as this is more of a documentation item and not an issue with Vaultwarden on the server side, ill move this to a discussion.

@BlackDex commented on GitHub (Jun 9, 2024): Also, as this is more of a documentation item and not an issue with Vaultwarden on the server side, ill move this to a discussion.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1931