v2024.5.0 doesn't allow one to enroll in account recovery #476

New Issue

Closed

opened 2025-10-09 16:33:10 +03:00 by OVERLORD · 3 comments

OVERLORD commented 2025-10-09 16:33:10 +03:00

Owner

Copy Link

Originally created by @realkinetix on GitHub.

Running vaultwarden 1.30.5-f05398a6 with bw_web build 2024.5.0 produces the following when trying to enroll in account recovery:

Jun 05 13:02:39 [vaultwarden] [2024-06-05 13:02:39.003][response][INFO] (get_organization_keys) GET /api/organizations/<org_id>/keys => 200 OK
Jun 05 13:02:39 [vaultwarden] [2024-06-05 13:02:39.763][request][INFO] PUT /api/organizations/39e583bf-50fe-41a0-86db-bfeefe01904d/users/246a5
106-ac41-4830-83ec-b64b07511886/reset-password-enrollment
Jun 05 13:02:39 [vaultwarden] [2024-06-05 13:02:39.763][vaultwarden::api][ERROR] No validation provided
Jun 05 13:02:39 [vaultwarden] [2024-06-05 13:02:39.763][response][INFO] (put_reset_password_enrollment) PUT /api/organizations/<org_id>/users/
<org_user_id>/reset-password-enrollment => 400 Bad Request

Switched to bw_web build v2024.3.1 and it works fine.

Originally created by @realkinetix on GitHub. Running vaultwarden 1.30.5-f05398a6 with bw_web build 2024.5.0 produces the following when trying to enroll in account recovery: ``` Jun 05 13:02:39 [vaultwarden] [2024-06-05 13:02:39.003][response][INFO] (get_organization_keys) GET /api/organizations/<org_id>/keys => 200 OK Jun 05 13:02:39 [vaultwarden] [2024-06-05 13:02:39.763][request][INFO] PUT /api/organizations/39e583bf-50fe-41a0-86db-bfeefe01904d/users/246a5 106-ac41-4830-83ec-b64b07511886/reset-password-enrollment Jun 05 13:02:39 [vaultwarden] [2024-06-05 13:02:39.763][vaultwarden::api][ERROR] No validation provided Jun 05 13:02:39 [vaultwarden] [2024-06-05 13:02:39.763][response][INFO] (put_reset_password_enrollment) PUT /api/organizations/<org_id>/users/ <org_user_id>/reset-password-enrollment => 400 Bad Request ``` Switched to bw_web build v2024.3.1 and it works fine.

OVERLORD closed this issue 2025-10-09 16:33:11 +03:00

OVERLORD commented 2025-10-09 16:33:14 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

Not sure if we should fix this in some way. Almost all those kind of actions send the hash to be verified server side too. And then someone removed that check. I wonder how it works if someone logged-in via device and tries to enroll them self.

I'm also not sure when that PR will be merged and if we can wait for that for example.

@BlackDex commented on GitHub: Not sure if we should fix this in some way. Almost all those kind of actions send the hash to be verified server side too. And then someone removed that check. I wonder how it works if someone logged-in via device and tries to enroll them self. I'm also not sure when that PR will be merged and if we can wait for that for example.

OVERLORD commented 2025-10-09 16:33:14 +03:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub:

Seems like the client (since web-v2024.4.2 cf. bf11b90c43) only sends the "ResetPasswordKey" when enrolling manually into account recovery because they did not validate it server-side.

Should be fixed by https://github.com/bitwarden/clients/pull/8770 (but I have not looked if this requires further changes to our own validation logic).

@stefan0xC commented on GitHub: Seems like the client (since `web-v2024.4.2` cf. https://github.com/bitwarden/clients/commit/bf11b90c43902ac150eef4e35dbc68a9f7f16273) [only sends the "ResetPasswordKey"](https://github.com/bitwarden/clients/blob/eef1e511b51a5bb39bb5e70a3bfc6be84921b619/apps/web/src/app/admin-console/organizations/users/enroll-master-password-reset.component.ts#L51-L56) when enrolling manually into account recovery because they did not validate it server-side. Should be fixed by https://github.com/bitwarden/clients/pull/8770 (but I have not looked if this requires further changes to our own validation logic).

OVERLORD commented 2025-10-09 16:33:15 +03:00

Author

Owner

Copy Link

@addisonbeck commented on GitHub:

I'm not all that familiar with this issue in the context of vaultwarden, but I agree that https://github.com/bitwarden/clients/pull/8770 and it's sibling PRs will at least help resolve this since the primary end goal of that work is to do a server side hash verification during account recovery enrollment. Bitwarden clients will be sending a populated MasterPasswordHash to the API again, which seems to be what is expected for this to work.

Mostly chiming in because I can help with this:

I'm also not sure when that PR will be merged and if we can wait for that for example.

I'm expecting to start having this work QA'd in the next week or so. The changes should be in main in the next couple of weeks, and will mostly likely land in production in mid July.

You could fix this a little faster in vaultwarden if you're willing to temporarily remove the server side hash check and put it back later. This is a small security issue, but the amount of things that would already need to have gone wrong for it to be exploited is high.

@addisonbeck commented on GitHub: I'm not all that familiar with this issue in the context of `vaultwarden`, but I agree that https://github.com/bitwarden/clients/pull/8770 and it's sibling PRs will at least help resolve this since the primary end goal of that work is to do a server side hash verification during account recovery enrollment. Bitwarden clients will be sending a populated `MasterPasswordHash` to the API again, which seems to be what is expected for this to work. Mostly chiming in because I can help with this: > I'm also not sure when that PR will be merged and if we can wait for that for example. I'm expecting to start having this work QA'd in the next week or so. The changes should be in `main` in the next couple of weeks, and will mostly likely land in production in mid July. You could fix this a little faster in `vaultwarden` if you're willing to temporarily remove the server side hash check and put it back later. This is a small security issue, but the amount of things that would already need to have gone wrong for it to be exploited is high.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#476