[GH-ISSUE #2761] "Bypass admin page security" should not be overrideable by admin-page #10180

Closed
opened 2026-04-20 13:34:28 -05:00 by GiteaMirror · 6 comments
Owner

Originally created by @kosli on GitHub (Sep 23, 2022).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/2761

Originally assigned to: @BlackDex on GitHub.

The option in the admin page to "Bypass admin page security" should not be able to override what was set in the environment as this imposes a security risk.

e.g. as owner of a vaultwarden instance it would be great to set the "default" values in the environment, so that I still give an admin access to the admin pages, but he cannot override the values that I have set. -> especially if the settings can have such a big impact as bypassing the admin page security.

Originally created by @kosli on GitHub (Sep 23, 2022). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/2761 Originally assigned to: @BlackDex on GitHub. The option in the admin page to "Bypass admin page security" should not be able to override what was set in the environment as this imposes a security risk. e.g. as owner of a vaultwarden instance it would be great to set the "default" values in the environment, so that I still give an admin access to the admin pages, but he cannot override the values that I have set. -> especially if the settings can have such a big impact as bypassing the admin page security.
GiteaMirror added the enhancement label 2026-04-20 13:34:28 -05:00
Author
Owner

@stefan0xC commented on GitHub (Sep 26, 2022):

I agree that it might be nice to prevent changing the config via admin panel altogether but why would you give someone else access to the admin panel? Especially if you don't trust them enough to not mess with your settings.

As a workaround for your problem I'd probably recommend setting up an additional authentication layer for the /admin panel in your reverse proxy.

<!-- gh-comment-id:1258517371 --> @stefan0xC commented on GitHub (Sep 26, 2022): I agree that it might be nice to prevent changing the config via admin panel altogether but why would you give someone else access to the admin panel? Especially if you don't trust them enough to not mess with your settings. As a workaround for your problem I'd probably recommend setting up an additional authentication layer for the `/admin` panel in your reverse proxy.
Author
Owner

@kosli commented on GitHub (Sep 26, 2022):

It is not about trust. Even if I trust them, it is just to "easy" to set a tick and immediately the admin interface is widely open to the world (and shodan etc.). I don't see the use-case for having the web UI overriding the env settings -> I would even turn it around and everything set be the env cannot be changed/overriden via the web UI -> as the env always needs higher privileges than the web UI to access it.

<!-- gh-comment-id:1258534333 --> @kosli commented on GitHub (Sep 26, 2022): It is not about trust. Even if I trust them, it is just to "easy" to set a tick and immediately the admin interface is widely open to the world (and shodan etc.). I don't see the use-case for having the web UI overriding the env settings -> I would even turn it around and everything set be the env cannot be changed/overriden via the web UI -> as the env always needs higher privileges than the web UI to access it.
Author
Owner

@BlackDex commented on GitHub (Sep 26, 2022):

Regarding the env vs config, this is a design choice made in the past which isn't easily to be changed at this point. So, config.json overrides env's.

Only thing we could do right now is too move that specific setting to read only, which prevents it from being edited in the interface.

With that, i think we also need to do some other changes, but i have to think those through.

<!-- gh-comment-id:1258542419 --> @BlackDex commented on GitHub (Sep 26, 2022): Regarding the env vs config, this is a design choice made in the past which isn't easily to be changed at this point. So, config.json overrides env's. Only thing we could do right now is too move that specific setting to read only, which prevents it from being edited in the interface. With that, i think we also need to do some other changes, but i have to think those through.
Author
Owner

@BlackDex commented on GitHub (Sep 26, 2022):

Also, as @stefan0xC mentioned, i would definitely add an extra auth in front of the admin endpoint, this also prevents shodan from getting specific info.

<!-- gh-comment-id:1258544661 --> @BlackDex commented on GitHub (Sep 26, 2022): Also, as @stefan0xC mentioned, i would definitely add an extra auth in front of the admin endpoint, this also prevents shodan from getting specific info.
Author
Owner

@kosli commented on GitHub (Sep 26, 2022):

Thanks @BlackDex & @stefan0xC Would appreciate that specific config to be extra-protected. And good point with the extra auth, for multiple reasons, and with traefik this is an easy one.

<!-- gh-comment-id:1258546832 --> @kosli commented on GitHub (Sep 26, 2022): Thanks @BlackDex & @stefan0xC Would appreciate that specific config to be extra-protected. And good point with the extra auth, for multiple reasons, and with traefik this is an easy one.
Author
Owner

@kosli commented on GitHub (Dec 6, 2022):

Thanks @BlackDex Looking forward to be available in the next release

<!-- gh-comment-id:1339663131 --> @kosli commented on GitHub (Dec 6, 2022): Thanks @BlackDex Looking forward to be available in the next release
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#10180