Items in organization but not in collection - not showing in recent web vault or mobile #2124

New Issue

Closed

opened 2026-02-05 03:20:44 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-05 03:20:44 +03:00

Owner

Copy Link

Originally created by @nneul on GitHub (Jan 6, 2025).

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.32.7
• Web-vault version: v2024.6.2c
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: MySQL
• Database version: 11.4.4-MariaDB
• Environment settings overridden!: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "*****://***********************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*************************",
  "domain_origin": "*****://*************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": false,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Neulinger Consulting",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/vaultwarden.log",
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": 2000,
  "org_creation_users": "*******************",
  "org_events_enabled": true,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": true,
  "signups_allowed": false,
  "signups_domains_whitelist": "*************",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***********************",
  "smtp_from_name": "Neulinger Bitwarden",
  "smtp_host": "*****************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "******",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": 1000,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.32.7

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

apache

Host/Server Operating System

Linux

Operating System Version

Debian 12.8

Clients

Web Vault, Browser Extension, CLI

Client Version

v2024.12.4

Steps To Reproduce

1. Run older (latest instead of testing) version of server - find an item in an organization that is not mapped to a collection. (This seems like it shouldn't be possible/valid, but it is in the system.)
2. With newer client - try to find the item. No searches will return it.
3. Edit the item and add it to a collection.
4. Resync client
5. Now it will show up in searches

NOTE - It does not appear to be possible to create this situation - the UI prevents you from removing items from all collections, but if the situation already exists, it appears to present issues.

6. Upgrade to :testing
7. Now the item can't even be found in the web vault.

Expected Result

Since this appears to be a situation that isn't supposed to exist, I'm not sure the best solution. Two possibilities:

A) Highlight the entries/flagged in some way in the web UI as "missing collection"
B) Fix web vault behavior so they do show up
C) Transfer ownership out of organization to the user (this seems questionable from a security policy standpoint)
D) Spontaneously create a "Orphaned Items" collection with no users explicitly granted access - and automatically add any item found without a collection into the orphaned items collection. This option seems like the safest one, since it should result in no effective changes in access/etc.

Actual Result

Something about newer web vaults and clients is resulting in "item in an org missing a collection" being lost/inaccessible in new version of code.

Logs

No response

Screenshots or Videos

No response

Additional Context

MariaDB [vaultwarden]> select count(*) from ciphers where organization_uuid is not null and uuid not in (select cipher_uuid from ciphers_collections);
+----------+
| count(*) |
+----------+
|      180 |
+----------+
1 row in set (0.000 sec)

MariaDB [vaultwarden]> select count(*) from ciphers where organization_uuid is not null and uuid in (select cipher_uuid from ciphers_collections);
+----------+
| count(*) |
+----------+
|      551 |
+----------+
1 row in set (0.003 sec)

MariaDB [vaultwarden]> select count(*) from ciphers where organization_uuid is null and uuid in (select cipher_uuid from ciphers_collections);
+----------+
| count(*) |
+----------+
|        0 |
+----------+
1 row in set (0.003 sec)

MariaDB [vaultwarden]> select count(*) from ciphers where organization_uuid is null and uuid not in (select cipher_uuid from ciphers_collections);
+----------+
| count(*) |
+----------+
|     1451 |
+----------+
1 row in set (0.004 sec)

Originally created by @nneul on GitHub (Jan 6, 2025). ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.32.7 * Web-vault version: v2024.6.2c * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: MySQL * Database version: 11.4.4-MariaDB * Environment settings overridden!: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, ADMIN_TOKEN **Config:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "*****://***********************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*************************", "domain_origin": "*****://*************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": false, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Neulinger Consulting", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/data/vaultwarden.log", "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": 2000, "org_creation_users": "*******************", "org_events_enabled": true, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": true, "signups_allowed": false, "signups_domains_whitelist": "*************", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***********************", "smtp_from_name": "Neulinger Bitwarden", "smtp_host": "*****************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "******", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": 1000, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.32.7 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy apache ### Host/Server Operating System Linux ### Operating System Version Debian 12.8 ### Clients Web Vault, Browser Extension, CLI ### Client Version v2024.12.4 ### Steps To Reproduce 1. Run older (latest instead of testing) version of server - find an item in an organization that is not mapped to a collection. (This seems like it shouldn't be possible/valid, but it is in the system.) 2. With newer client - try to find the item. No searches will return it. 3. Edit the item and add it to a collection. 4. Resync client 5. Now it will show up in searches NOTE - It does not appear to be possible to _create_ this situation - the UI prevents you from removing items from all collections, but if the situation already exists, it appears to present issues. 6. Upgrade to :testing 7. Now the item can't even be found in the web vault. ### Expected Result Since this appears to be a situation that isn't supposed to exist, I'm not sure the best solution. Two possibilities: A) Highlight the entries/flagged in some way in the web UI as "missing collection" B) Fix web vault behavior so they do show up C) Transfer ownership out of organization to the user (this seems questionable from a security policy standpoint) D) Spontaneously create a "Orphaned Items" collection with no users explicitly granted access - and automatically add any item found without a collection into the orphaned items collection. This option seems like the safest one, since it should result in no effective changes in access/etc. ### Actual Result Something about newer web vaults and clients is resulting in "item in an org missing a collection" being lost/inaccessible in new version of code. ### Logs _No response_ ### Screenshots or Videos _No response_ ### Additional Context ``` MariaDB [vaultwarden]> select count(*) from ciphers where organization_uuid is not null and uuid not in (select cipher_uuid from ciphers_collections); +----------+ | count(*) | +----------+ | 180 | +----------+ 1 row in set (0.000 sec) MariaDB [vaultwarden]> select count(*) from ciphers where organization_uuid is not null and uuid in (select cipher_uuid from ciphers_collections); +----------+ | count(*) | +----------+ | 551 | +----------+ 1 row in set (0.003 sec) MariaDB [vaultwarden]> select count(*) from ciphers where organization_uuid is null and uuid in (select cipher_uuid from ciphers_collections); +----------+ | count(*) | +----------+ | 0 | +----------+ 1 row in set (0.003 sec) MariaDB [vaultwarden]> select count(*) from ciphers where organization_uuid is null and uuid not in (select cipher_uuid from ciphers_collections); +----------+ | count(*) | +----------+ | 1451 | +----------+ 1 row in set (0.004 sec) ```

OVERLORD added the bug label 2026-02-05 03:20:44 +03:00

OVERLORD closed this issue 2026-02-05 03:20:51 +03:00

OVERLORD commented 2026-02-05 03:21:00 +03:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub (Jan 6, 2025):

To reproduce: If you delete a collection, the items that were in the collection will be unassigned. Cf. https://bitwarden.com/help/about-collections/#manage-a-collection

Regarding the issue itself: I think that's expected behavior now that you only will see the items in assigned collections. That used to be different (that you would see all items with access all in the password manager) but Bitwarden changed it, so they'll only show up in the Admin Console. edit: okay, it's seems they still show up as Owner/Admin.

@stefan0xC commented on GitHub (Jan 6, 2025): To reproduce: If you delete a collection, the items that were in the collection will be unassigned. Cf. https://bitwarden.com/help/about-collections/#manage-a-collection Regarding the issue itself: I think that's expected behavior now that you only will see the items in assigned collections. That used to be different (that you would see all items with access all in the password manager) but Bitwarden changed it, so they'll only show up in the Admin Console. edit: okay, it's seems they still show up as Owner/Admin.

OVERLORD commented 2026-02-05 03:21:10 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jan 6, 2025):

I do not think we can do anything about this.
If the clients do not allow searching for those items it's a client side issue, or maybe even by design.
Though, I'm able to search for them in my environment just fine, but I'm an Owner there, and i guess users are probably not allowed to view those items for security reasons.

You can still per organization go to the collections and select the Unassigned collection to see and fix those.

@BlackDex commented on GitHub (Jan 6, 2025): I do not think we can do anything about this. If the clients do not allow searching for those items it's a client side issue, or maybe even by design. Though, I'm able to search for them in my environment just fine, but I'm an Owner there, and i guess users are probably not allowed to view those items for security reasons. You can still per organization go to the collections and select the **Unassigned** collection to see and fix those. 

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#2124