Question: why is ADMIN_TOKEN not mandatory #240

New Issue

Closed

opened 2025-10-09 16:18:48 +03:00 by OVERLORD · 11 comments

OVERLORD commented 2025-10-09 16:18:48 +03:00

Owner

Copy Link

Originally created by @jflecool2 on GitHub.

Hello!
First, thanks for creating vaultwarden!!
I have a question,
Considering vaultwarden store passwords, (safety is primordial)
Considering a argon 'ADMIN_TOKEN' is necessary to be safe (according to https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0)
Why is ADMIN_TOKEN not forced?
If I wouldnt have checked the new release, I would have never known. Its maybe in the log (?), but I dont think every one looks at the logs. I know I dont.
Thanks

Originally created by @jflecool2 on GitHub. Hello! First, thanks for creating vaultwarden!! I have a question, Considering vaultwarden store passwords, (safety is primordial) Considering a argon 'ADMIN_TOKEN' is necessary to be safe (according to https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0) Why is ADMIN_TOKEN not forced? If I wouldnt have checked the new release, I would have never known. Its maybe in the log (?), but I dont think every one looks at the logs. I know I dont. Thanks

OVERLORD closed this issue 2025-10-09 16:18:49 +03:00

OVERLORD commented 2025-10-09 16:18:50 +03:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub:

I'd recommend never setting DISABLE_ADMIN_TOKEN=true. If you need the /admin panel, I'd probably recommend setting up an additional form of access control (i.e. restricting it to a specific IP address / VPN) instead. I mean, disabling it and only enabling it when needed, should be fine too but personally I think that would be a bit of a hassle.

@stefan0xC commented on GitHub: I'd recommend never setting `DISABLE_ADMIN_TOKEN=true`. If you need the `/admin` panel, I'd probably recommend setting up an additional form of access control (i.e. restricting it to a specific IP address / VPN) instead. I mean, disabling it and only enabling it when needed, should be fine too but personally I think that would be a bit of a hassle.

OVERLORD commented 2025-10-09 16:18:51 +03:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub:

If you have no ADMIN_TOKEN (nor DISABLE_ADMIN_TOKEN=true) set, the /admin panel is not active and there would have been no security flaw to be exploited. Or to quote the linked advisory

This requires the DISABLE_ADMIN_TOKEN option to be enabled, as the authentication cookie will not be sent across site boundaries.

@stefan0xC commented on GitHub: If you have no `ADMIN_TOKEN` (nor `DISABLE_ADMIN_TOKEN=true`) set, the `/admin` panel is not active and there would have been no security flaw to be exploited. Or to quote the [linked advisory](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-f7r5-w49x-gxm3) > This requires the `DISABLE_ADMIN_TOKEN` option to be enabled, as the authentication cookie will not be sent across site boundaries.

OVERLORD commented 2025-10-09 16:18:51 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

And this, as @stefan0xC says, you need to disable it specificaly and the token is mandatory

@BlackDex commented on GitHub: And this, as @stefan0xC says, you need to disable it specificaly and the token is mandatory

OVERLORD commented 2025-10-09 16:18:51 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

If you just set a token, and maybe as extra add basic auth or authelia or something via your reverse proxy, that should be more then enough.

@BlackDex commented on GitHub: If you just set a token, and maybe as extra add basic auth or authelia or something via your reverse proxy, that should be more then enough.

OVERLORD commented 2025-10-09 16:18:52 +03:00

Author

Owner

Copy Link

@7heMech commented on GitHub:

Hey, sorry to chip in, would you guys recommend keeping admin disabled until changes need to be made?

@7heMech commented on GitHub: Hey, sorry to chip in, would you guys recommend keeping admin disabled until changes need to be made?

OVERLORD commented 2025-10-09 16:18:54 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

Ok I think I get it:

• DISABLE_ADMIN_TOKEN = admin but unsafe = not recommended + GHSA-f7r5-w49x-gxm3

Yes / No. The security issue is already fixed, with or without admin token. But it's not adviced.

• ADMIN_TOKEN + DISABLE_ADMIN_TOKEN = probably 'admin but safe' = no problem

No since DISABLE_ADMIN_TOKENas the option says disables the token, and thus renders ADMIN_TOKEN not used.

@BlackDex commented on GitHub: > Ok I think I get it: > > * DISABLE_ADMIN_TOKEN = admin but unsafe = not recommended + [GHSA-f7r5-w49x-gxm3](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-f7r5-w49x-gxm3) Yes / No. The security issue is already fixed, with or without admin token. But it's not adviced. > * ADMIN_TOKEN + DISABLE_ADMIN_TOKEN = probably 'admin but safe' = no problem No since `DISABLE_ADMIN_TOKEN`as the option says disables the token, and thus renders `ADMIN_TOKEN` not used.

OVERLORD commented 2025-10-09 16:18:54 +03:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub:

  correct ?

No. DISABLE_ADMIN_TOKEN is inherently unsafe as it straight up enables the /admin panel to be used without a password. The idea would be that you are responsible for setting up a separate auth layer as described by the comment.
3c29f82974/.env.template (L395-L397)
So personally I think that option in itself is a security flaw, which is why I'd never recommend enabling it.

@stefan0xC commented on GitHub: > correct ? No. `DISABLE_ADMIN_TOKEN` is inherently unsafe as it straight up enables the `/admin` panel to be used without a password. The idea would be that you are responsible for setting up a separate auth layer as described by the comment. https://github.com/dani-garcia/vaultwarden/blob/3c29f8297450c6e43369bc210383bb2d455565c0/.env.template#L395-L397 So personally I think that option in itself is a security flaw, which is why I'd never recommend enabling it.

OVERLORD commented 2025-10-09 16:18:54 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

Also, i would not change settings via the admin interface though. Only checking users and orgs, and diagnostics.

@BlackDex commented on GitHub: Also, i would not change settings via the admin interface though. Only checking users and orgs, and diagnostics.

OVERLORD commented 2025-10-09 16:18:54 +03:00

Author

Owner

Copy Link

@jflecool2 commented on GitHub:

Ok I think I get it:

• No env: No admin = no problem
• ADMIN_TOKEN = admin but safe = no problem
• DISABLE_ADMIN_TOKEN = admin but unsafe = not recommended + GHSA-f7r5-w49x-gxm3
• ADMIN_TOKEN + DISABLE_ADMIN_TOKEN = probably 'admin but safe' = no problem
  correct ?

@jflecool2 commented on GitHub: Ok I think I get it: - No env: No admin = no problem - ADMIN_TOKEN = admin but safe = no problem - DISABLE_ADMIN_TOKEN = admin but unsafe = not recommended + GHSA-f7r5-w49x-gxm3 - ADMIN_TOKEN + DISABLE_ADMIN_TOKEN = probably 'admin but safe' = no problem correct ?

OVERLORD commented 2025-10-09 16:18:55 +03:00

Author

Owner

Copy Link

@7heMech commented on GitHub:

Also, i would not change settings via the admin interface though. Only checking users and orgs, and diagnostics.

Oh, well, I setup everything from there already 😓
My instance is proxied behind cloudflare, I could setup some rules over there for /admin yeah, thanks so much for the advice!

@7heMech commented on GitHub: > Also, i would not change settings via the admin interface though. Only checking users and orgs, and diagnostics. Oh, well, I setup everything from there already 😓 My instance is proxied behind cloudflare, I could setup some rules over there for /admin yeah, thanks so much for the advice!

OVERLORD commented 2025-10-09 16:18:56 +03:00

Author

Owner

Copy Link

@jflecool2 commented on GitHub:

Ok I understand!
From where I stand, default is safe, ADMIN_TOKEN is safe, and DISABLE_ADMIN_TOKEN is somewhat inherently unsafe but the name already implies that its unsafe in my opinion, so its fine. thanks guys! Vaultwarden rocks!

@jflecool2 commented on GitHub: Ok I understand! From where I stand, default is safe, ADMIN_TOKEN is safe, and DISABLE_ADMIN_TOKEN is somewhat inherently unsafe but the name already implies that its unsafe in my opinion, so its fine. thanks guys! Vaultwarden rocks!

OVERLORD referenced this issue 2025-10-09 18:30:00 +03:00

[PR #240] [MERGED] Switch from resin to balenalib #3781

OVERLORD referenced this issue 2025-10-09 18:30:05 +03:00

[PR #240] Switch from resin to balenalib #3784

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#240