github-starred/vaultwarden
2
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-05-24 09:03:15 -05:00
Code Issues 307 Packages Projects Releases 83 Wiki Activity

[GH-ISSUE #6562] Broken ciphers created when collection is read-only #15258

New Issue
Closed
opened 2026-04-23 07:07:10 -05:00 by GiteaMirror · 8 comments
GiteaMirror commented 2026-04-23 07:07:10 -05:00
Owner
Copy Link

Originally created by @uedvt359 on GitHub (Dec 16, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6562

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.34.3-f9751a0a
  • Web-vault version: v2025.10.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: PostgreSQL
  • Database version: PostgreSQL 15.14 on x86_64-redhat-linux-gnu, compiled by gcc (GCC) 11.5.0 20240719 (Red Hat 11.5.0-5), 64-bit
  • Uses config.json: true
  • Uses a reverse proxy: true
  • IP Header check: true (x-forwarded-for)
  • Internet access: false
  • Internet access via a proxy: true
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: n/a
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, ORG_CREATION_USERS, INVITATIONS_ALLOWED, ADMIN_TOKEN, IP_HEADER, SSO_ENABLED, SSO_SIGNUPS_MATCH_EMAIL, SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_SCOPES, SSO_MASTER_PASSWORD_POLICY, SSO_AUTH_ONLY_NOT_SESSION, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM

Config:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": false,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 10,
  "admin_ratelimit_seconds": 60,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "/opt/vaultwarden/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "/opt/vaultwarden",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "**********://*************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://******************",
  "domain_origin": "*****://******************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": false,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "/opt/vaultwarden/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 0,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "x-forwarded-for",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 50,
  "login_ratelimit_seconds": 10,
  "org_attachment_limit": null,
  "org_creation_users": "******************************",
  "org_events_enabled": false,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "/opt/vaultwarden/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "/opt/vaultwarden/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***********************",
  "smtp_from_name": "***********",
  "smtp_host": "**********************",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "off",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "sso_allow_unknown_email_verification": true,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://******************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://***********************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "****************************************************************",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": "{\"minComplexity\":3,\"minLength\":12,\"requireLower\":true,\"requireNumbers\":true,\"requireSpecial\":false,\"requireUpper\":true}",
  "sso_only": true,
  "sso_pkce": true,
  "sso_scopes": "profile offline_access",
  "sso_signups_match_email": false,
  "templates_folder": "/templates",
  "tmp_folder": "/opt/vaultwarden/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": true,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.34.3-f9751a0a

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

n/a

Host/Server Operating System

Linux

Operating System Version

rhel9

Clients

CLI

Client Version

api requests

Steps To Reproduce

  1. create a user for API access and join it to your ORG
  2. add this user to a collection with permission view-only.
  3. create a new cipher using the /api/ciphers/create endpoint, and set collections to the uuid of the read-only collection from step 2

Expected Result

cipher creation should fail, and no half-finished entries should be written to the database

Actual Result

cipher creation returns a 400 "No rights to modify the collection" error, but it creates an entry in the ciphers table, with the data column being the empty string.

later calls to /api/sync then cause an "Error parsing data field for " log message for each cipher that was attemted to get created in a read-only collection.

Logs

(post_ciphers_create) POST /api/ciphers/create => 400 Bad Request
No rights to modify the collection



Error parsing data field for fe92b3a8-cbbf-47a8-b7d1-b90ae16b81fb
Error parsing data field for ff5764f2-1189-411d-869c-2d6d45b89f44
(sync) GET /api/sync?<data..> => 200 OK

Screenshots or Videos

No response

Additional Context

No response

Originally created by @uedvt359 on GitHub (Dec 16, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6562 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-f9751a0a * Web-vault version: v2025.10.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: PostgreSQL * Database version: PostgreSQL 15.14 on x86_64-redhat-linux-gnu, compiled by gcc (GCC) 11.5.0 20240719 (Red Hat 11.5.0-5), 64-bit * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (x-forwarded-for) * Internet access: false * Internet access via a proxy: true * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: n/a * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, ORG_CREATION_USERS, INVITATIONS_ALLOWED, ADMIN_TOKEN, IP_HEADER, SSO_ENABLED, SSO_SIGNUPS_MATCH_EMAIL, SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION, SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_AUTHORITY, SSO_SCOPES, SSO_MASTER_PASSWORD_POLICY, SSO_AUTH_ONLY_NOT_SESSION, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM **Config:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": false, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 10, "admin_ratelimit_seconds": 60, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "/opt/vaultwarden/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "/opt/vaultwarden", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "**********://*************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://******************", "domain_origin": "*****://******************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": false, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "/opt/vaultwarden/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 0, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "x-forwarded-for", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 50, "login_ratelimit_seconds": 10, "org_attachment_limit": null, "org_creation_users": "******************************", "org_events_enabled": false, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "/opt/vaultwarden/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "/opt/vaultwarden/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***********************", "smtp_from_name": "***********", "smtp_host": "**********************", "smtp_password": null, "smtp_port": 25, "smtp_security": "off", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_allow_unknown_email_verification": true, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://******************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://***********************************************", "sso_client_cache_expiration": 0, "sso_client_id": "****************************************************************", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": "{\"minComplexity\":3,\"minLength\":12,\"requireLower\":true,\"requireNumbers\":true,\"requireSpecial\":false,\"requireUpper\":true}", "sso_only": true, "sso_pkce": true, "sso_scopes": "profile offline_access", "sso_signups_match_email": false, "templates_folder": "/templates", "tmp_folder": "/opt/vaultwarden/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": true, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.34.3-f9751a0a ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy n/a ### Host/Server Operating System Linux ### Operating System Version rhel9 ### Clients CLI ### Client Version api requests ### Steps To Reproduce 1. create a user for API access and join it to your ORG 2. add this user to a collection with permission view-only. 3. create a new cipher using the `/api/ciphers/create` endpoint, and set `collections` to the uuid of the read-only collection from step 2 ### Expected Result cipher creation should fail, and no half-finished entries should be written to the database ### Actual Result cipher creation returns a 400 "No rights to modify the collection" error, but it creates an entry in the `ciphers` table, with the `data` column being the empty string. later calls to `/api/sync` then cause an "Error parsing data field for <uuid>" log message for each cipher that was attemted to get created in a read-only collection. ### Logs ```text (post_ciphers_create) POST /api/ciphers/create => 400 Bad Request No rights to modify the collection Error parsing data field for fe92b3a8-cbbf-47a8-b7d1-b90ae16b81fb Error parsing data field for ff5764f2-1189-411d-869c-2d6d45b89f44 (sync) GET /api/sync?<data..> => 200 OK ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_
GiteaMirror added the bug label 2026-04-23 07:07:10 -05:00
GiteaMirror commented 2026-04-23 07:07:12 -05:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Dec 20, 2025):

Well, it basically isn't a broken cipher created, but more that how we create a new cipher. It first gets stored, and after that shared/linked to the organization and checked if that the user is allowed to access the provided collection's.

So the cipher is ok, but only if it's linked to an org, which in this case isn't and still linked to the user, and therefor not able to be decrypted.

I have this fixed #6578 , that will warn earlier before even creating a new key.

<!-- gh-comment-id:3678022925 --> @BlackDex commented on GitHub (Dec 20, 2025): Well, it basically isn't a broken cipher created, but more that how we create a new cipher. It first gets stored, and after that shared/linked to the organization and checked if that the user is allowed to access the provided collection's. So the cipher is ok, but only if it's linked to an org, which in this case isn't and still linked to the user, and therefor not able to be decrypted. I have this fixed #6578 , that will warn earlier before even creating a new key.
GiteaMirror commented 2026-04-23 07:07:12 -05:00
Author
Owner
Copy Link

@uedvt359 commented on GitHub (Dec 22, 2025):

Thanks for the quick fix!

So the cipher is ok, but only if it's linked to an org, which in this case isn't and still linked to the user, and therefor not able to be decrypted.

Maybe we are talking about slightly different bugs? I definitely have completely broken entries in the database. Notice how data does not contain any information (it's the empty string). if it were just an un-decryptable string, it should still store the encrypted JSON payload.

vaultwarden=# \x
vaultwarden=# select * from ciphers where data = '' limit 1;
-[ RECORD 1 ]-----+---------------------------------------------------------------------------------------------------------------------
uuid              | aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
created_at        | 2025-12-20 00:44:39.294796
updated_at        | 2025-12-20 00:44:39.295992
user_uuid         | 00000000-1111-2222-3333-444444444444
organization_uuid | 
atype             | 1
name              | 2.xxxxxxxxxxxxxxxxxxxxxx==|yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy=|zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz=
notes             | 
fields            | 
data              | 
password_history  |
deleted_at        | 
reprompt          | 
key               |
<!-- gh-comment-id:3680702400 --> @uedvt359 commented on GitHub (Dec 22, 2025): Thanks for the quick fix! > So the cipher is ok, but only if it's linked to an org, which in this case isn't and still linked to the user, and therefor not able to be decrypted. Maybe we are talking about slightly different bugs? I definitely have completely broken entries in the database. Notice how `data` does not contain any information (it's the empty string). if it were just an un-decryptable string, it should still store the encrypted JSON payload. ``` vaultwarden=# \x vaultwarden=# select * from ciphers where data = '' limit 1; -[ RECORD 1 ]-----+--------------------------------------------------------------------------------------------------------------------- uuid | aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee created_at | 2025-12-20 00:44:39.294796 updated_at | 2025-12-20 00:44:39.295992 user_uuid | 00000000-1111-2222-3333-444444444444 organization_uuid | atype | 1 name | 2.xxxxxxxxxxxxxxxxxxxxxx==|yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy=|zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz= notes | fields | data | password_history | deleted_at | reprompt | key | ```
GiteaMirror commented 2026-04-23 07:07:13 -05:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Dec 22, 2025):

I doubt it actually.
I used the same API call, though i used the web-vault and adjusted the collection and did a resend.

So either you are not sending the correct parameters/form elements, or something else strange is happening.

Maybe if you can provide the HTTP request and response that might help.

But the bug that keeping a cipher in the database upon an permission error is solved. That shouldn't happen again.

<!-- gh-comment-id:3680941767 --> @BlackDex commented on GitHub (Dec 22, 2025): I doubt it actually. I used the same API call, though i used the web-vault and adjusted the collection and did a resend. So either you are not sending the correct parameters/form elements, or something else strange is happening. Maybe if you can provide the HTTP request and response that might help. But the bug that keeping a cipher in the database upon an permission error is solved. That shouldn't happen again.
GiteaMirror commented 2026-04-23 07:07:13 -05:00
Author
Owner
Copy Link

@uedvt359 commented on GitHub (Dec 22, 2025):

i've attached a minimal reproducer. it uses https://pypi.org/project/python-vaultwarden/ to handle login and crypto, but the api call in question is made "manually".

[2025-12-22 08:37:07.684][request][INFO] POST /identity/connect/token
[2025-12-22 08:37:07.689][vaultwarden::api::identity][INFO] User serviceuser@example.org logged in successfully via API key. IP: 10.10.10.10
[2025-12-22 08:37:07.690][response][INFO] (login) POST /identity/connect/token => 200 OK
[2025-12-22 08:37:07.991][response][INFO] (sync) GET /api/sync?<data..> => 200 OK
[2025-12-22 08:37:08.056][request][INFO] POST /api/ciphers/create
[2025-12-22 08:37:08.078][vaultwarden::api::core::ciphers][ERROR] No rights to modify the collection
[2025-12-22 08:37:08.078][response][INFO] (post_ciphers_create) POST /api/ciphers/create => 400 Bad Request
[2025-12-22 08:37:08.083][request][INFO] GET /api/sync
[2025-12-22 08:37:08.088][vaultwarden::db::models::cipher][WARN] Error parsing data field for 99999999-8888-7777-6666-555555555555
[2025-12-22 08:37:08.089][response][INFO] (sync) GET /api/sync?<data..> => 200 OK

vaultwarden=# \x 
vaultwarden=# select * from ciphers where data = '';
-[ RECORD 4 ]-----+-------------------------------------------------------------------------------------------------
uuid              | 99999999-8888-7777-6666-555555555555
created_at        | 2025-12-22 08:37:08.057002
updated_at        | 2025-12-22 08:37:08.063007
user_uuid         | ffffffff-eeee-dddd-cccc-bbbbbbbbbbbb
organization_uuid | 
atype             | 1
name              | 2.AAAAAAAAAAAAAAAAAAAAAA==|BBBBBBBBBBBBBBBBBBBBBB==|CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=
notes             | 
fields            | 
data              | 
password_history  | 
deleted_at        | 
reprompt          | 
key               | 

import os
from vaultwarden.clients.bitwarden import BitwardenAPIClient
from vaultwarden.models.bitwarden import Organization

os.environ['SSL_CERT_FILE'] = "/etc/pki/tls/cert.pem" # for BitwardenAPIClient's internal httpx.Client

vw_client = BitwardenAPIClient(
    url="https://vaultwarden.example.org",
    email="serviceuser@example.org",
    password=r"",
    client_id="user.",
    client_secret="",
    device_id="00000000-1111-2222-3333-444444444444"
)

org_id = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
col_id = "vvvvvvvv-wwww-xxxx-yyyy-zzzzzzzzzzzz"

# read out from vaultwarden, updated item and discarded some unneeded keys:
cipher = {'attachments': None, 'card': None, 'data': {'autofillOnPageLoad': None, 'fido2Credentials': None, 'fields': None, 'name': '2.AAAAAAAAAAAAAAAAAAAAAA==|BBBBBBBBBBBBBBBBBBBBBB==|CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=', 'notes': None, 'password': '2.DDDDDDDDDDDDDDDDDDDDDD==|EEEEEEEEEEEEEEEEEEEEEE==|FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF=', 'totp': None, 'uris': [{'match': None, 'uri': '2.GGGGGGGGGGGGGGGGGGGGGG==|HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH=|IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII=', 'uriChecksum': '2.JJJJJJJJJJJJJJJJJJJJJJ==|KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK|LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL='}], 'username': '2.MMMMMMMMMMMMMMMMMMMMMM==|NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN=|OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO='}, 'fields': None, 'identity': None, 'login': {'autofillOnPageLoad': None, 'fido2Credentials': None, 'fields': None, 'name': '2.AAAAAAAAAAAAAAAAAAAAAA==|BBBBBBBBBBBBBBBBBBBBBB==|CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=', 'notes': None, 'password': '2.DDDDDDDDDDDDDDDDDDDDDD==|EEEEEEEEEEEEEEEEEEEEEE==|FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF=', 'totp': None, 'uris': [{'match': None, 'uri': '2.GGGGGGGGGGGGGGGGGGGGGG==|HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH=|IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII=', 'uriChecksum': '2.JJJJJJJJJJJJJJJJJJJJJJ==|KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK|LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL='}], 'username': '2.MMMMMMMMMMMMMMMMMMMMMM==|NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN=|OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO='}, 'name': '2.AAAAAAAAAAAAAAAAAAAAAA==|BBBBBBBBBBBBBBBBBBBBBB==|CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=', 'notes': None, 'reprompt': 0, 'revisionDate': '2025-12-19T08:21:35.868703Z', 'secureNote': None, 'sshKey': None, 'type': 1, 'organizationId':org_id}


# part 1: insert broken record
r = target_client.api_request("POST", "/api/ciphers/create", json={
  "cipher": cipher,
  "collectionIds": [col_id]
})

# part 2: notice the sync error
syncdata = vw_client.sync() # causes "Error parsing data field for 99999999-8888-7777-6666-555555555555"
<!-- gh-comment-id:3681107228 --> @uedvt359 commented on GitHub (Dec 22, 2025): i've attached a minimal reproducer. it uses https://pypi.org/project/python-vaultwarden/ to handle login and crypto, but the api call in question is made "manually". ``` [2025-12-22 08:37:07.684][request][INFO] POST /identity/connect/token [2025-12-22 08:37:07.689][vaultwarden::api::identity][INFO] User serviceuser@example.org logged in successfully via API key. IP: 10.10.10.10 [2025-12-22 08:37:07.690][response][INFO] (login) POST /identity/connect/token => 200 OK [2025-12-22 08:37:07.991][response][INFO] (sync) GET /api/sync?<data..> => 200 OK [2025-12-22 08:37:08.056][request][INFO] POST /api/ciphers/create [2025-12-22 08:37:08.078][vaultwarden::api::core::ciphers][ERROR] No rights to modify the collection [2025-12-22 08:37:08.078][response][INFO] (post_ciphers_create) POST /api/ciphers/create => 400 Bad Request [2025-12-22 08:37:08.083][request][INFO] GET /api/sync [2025-12-22 08:37:08.088][vaultwarden::db::models::cipher][WARN] Error parsing data field for 99999999-8888-7777-6666-555555555555 [2025-12-22 08:37:08.089][response][INFO] (sync) GET /api/sync?<data..> => 200 OK vaultwarden=# \x vaultwarden=# select * from ciphers where data = ''; -[ RECORD 4 ]-----+------------------------------------------------------------------------------------------------- uuid | 99999999-8888-7777-6666-555555555555 created_at | 2025-12-22 08:37:08.057002 updated_at | 2025-12-22 08:37:08.063007 user_uuid | ffffffff-eeee-dddd-cccc-bbbbbbbbbbbb organization_uuid | atype | 1 name | 2.AAAAAAAAAAAAAAAAAAAAAA==|BBBBBBBBBBBBBBBBBBBBBB==|CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC= notes | fields | data | password_history | deleted_at | reprompt | key | ``` ``` import os from vaultwarden.clients.bitwarden import BitwardenAPIClient from vaultwarden.models.bitwarden import Organization os.environ['SSL_CERT_FILE'] = "/etc/pki/tls/cert.pem" # for BitwardenAPIClient's internal httpx.Client vw_client = BitwardenAPIClient( url="https://vaultwarden.example.org", email="serviceuser@example.org", password=r"", client_id="user.", client_secret="", device_id="00000000-1111-2222-3333-444444444444" ) org_id = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" col_id = "vvvvvvvv-wwww-xxxx-yyyy-zzzzzzzzzzzz" # read out from vaultwarden, updated item and discarded some unneeded keys: cipher = {'attachments': None, 'card': None, 'data': {'autofillOnPageLoad': None, 'fido2Credentials': None, 'fields': None, 'name': '2.AAAAAAAAAAAAAAAAAAAAAA==|BBBBBBBBBBBBBBBBBBBBBB==|CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=', 'notes': None, 'password': '2.DDDDDDDDDDDDDDDDDDDDDD==|EEEEEEEEEEEEEEEEEEEEEE==|FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF=', 'totp': None, 'uris': [{'match': None, 'uri': '2.GGGGGGGGGGGGGGGGGGGGGG==|HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH=|IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII=', 'uriChecksum': '2.JJJJJJJJJJJJJJJJJJJJJJ==|KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK|LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL='}], 'username': '2.MMMMMMMMMMMMMMMMMMMMMM==|NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN=|OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO='}, 'fields': None, 'identity': None, 'login': {'autofillOnPageLoad': None, 'fido2Credentials': None, 'fields': None, 'name': '2.AAAAAAAAAAAAAAAAAAAAAA==|BBBBBBBBBBBBBBBBBBBBBB==|CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=', 'notes': None, 'password': '2.DDDDDDDDDDDDDDDDDDDDDD==|EEEEEEEEEEEEEEEEEEEEEE==|FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF=', 'totp': None, 'uris': [{'match': None, 'uri': '2.GGGGGGGGGGGGGGGGGGGGGG==|HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH=|IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII=', 'uriChecksum': '2.JJJJJJJJJJJJJJJJJJJJJJ==|KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK|LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL='}], 'username': '2.MMMMMMMMMMMMMMMMMMMMMM==|NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN=|OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO='}, 'name': '2.AAAAAAAAAAAAAAAAAAAAAA==|BBBBBBBBBBBBBBBBBBBBBB==|CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=', 'notes': None, 'reprompt': 0, 'revisionDate': '2025-12-19T08:21:35.868703Z', 'secureNote': None, 'sshKey': None, 'type': 1, 'organizationId':org_id} # part 1: insert broken record r = target_client.api_request("POST", "/api/ciphers/create", json={ "cipher": cipher, "collectionIds": [col_id] }) # part 2: notice the sync error syncdata = vw_client.sync() # causes "Error parsing data field for 99999999-8888-7777-6666-555555555555" ```
GiteaMirror commented 2026-04-23 07:07:14 -05:00
Author
Owner
Copy Link

@bsv9 commented on GitHub (Jan 22, 2026):

I am encountering the same issue in the latest version (1.35.2). Could you please advise on how to resolve the broken items?

[2026-01-21 18:09:56.657][request][INFO] GET /api/sync?excludeDomains=true
[2026-01-21 18:09:56.683][vaultwarden::db::models::cipher][WARN] Error parsing data field for 502c9cde-5d15-4287-8abc-e8b271c9fc86
[2026-01-21 18:09:56.684][vaultwarden::db::models::cipher][WARN] Error parsing data field for b0c34a74-6fc5-4b2c-a061-5d57f1e6ca85
[2026-01-21 18:09:56.685][vaultwarden::db::models::cipher][WARN] Error parsing data field for c903bb58-481a-4c3a-b171-1168e3a6a0a5
[2026-01-21 18:09:56.685][vaultwarden::db::models::cipher][WARN] Error parsing data field for f2d01aa8-1be1-45fe-b6f6-1ecc1e1f9e4e


sqlite> select * from ciphers where data = '' order by created_at desc;
502c9cde-5d15-4287-8abc-e8b271c9fc86|2025-06-03 08:30:21.923074145|2025-06-03 08:30:21.923204810|77ed82e8-7959-42cc-b2be-451a1bf8b330||2|2.xxxxxxxxxx=|xxxxxxxxx|||||||
c903bb58-481a-4c3a-b171-1168e3a6a0a5|2025-05-28 15:43:44.253667665|2025-05-28 15:43:44.253823937|77ed82e8-7959-42cc-b2be-451a1bf8b330||2|2.xxxxxxxxxx=|xxxxxxxxx|||||||
f2d01aa8-1be1-45fe-b6f6-1ecc1e1f9e4e|2025-05-28 15:40:12.877257236|2025-05-28 15:40:12.877445537|77ed82e8-7959-42cc-b2be-451a1bf8b330||2|2.xxxxxxxxxx=|xxxxxxxxx|||||||
b0c34a74-6fc5-4b2c-a061-5d57f1e6ca85|2025-05-28 15:40:03.210629901|2025-05-28 15:40:03.210821117|77ed82e8-7959-42cc-b2be-451a1bf8b330||2|2.xxxxxxxxxx=|xxxxxxxxx|||||||
sqlite>
<!-- gh-comment-id:3783032378 --> @bsv9 commented on GitHub (Jan 22, 2026): I am encountering the same issue in the latest version (1.35.2). Could you please advise on how to resolve the broken items? ``` [2026-01-21 18:09:56.657][request][INFO] GET /api/sync?excludeDomains=true [2026-01-21 18:09:56.683][vaultwarden::db::models::cipher][WARN] Error parsing data field for 502c9cde-5d15-4287-8abc-e8b271c9fc86 [2026-01-21 18:09:56.684][vaultwarden::db::models::cipher][WARN] Error parsing data field for b0c34a74-6fc5-4b2c-a061-5d57f1e6ca85 [2026-01-21 18:09:56.685][vaultwarden::db::models::cipher][WARN] Error parsing data field for c903bb58-481a-4c3a-b171-1168e3a6a0a5 [2026-01-21 18:09:56.685][vaultwarden::db::models::cipher][WARN] Error parsing data field for f2d01aa8-1be1-45fe-b6f6-1ecc1e1f9e4e ``` ``` sqlite> select * from ciphers where data = '' order by created_at desc; 502c9cde-5d15-4287-8abc-e8b271c9fc86|2025-06-03 08:30:21.923074145|2025-06-03 08:30:21.923204810|77ed82e8-7959-42cc-b2be-451a1bf8b330||2|2.xxxxxxxxxx=|xxxxxxxxx||||||| c903bb58-481a-4c3a-b171-1168e3a6a0a5|2025-05-28 15:43:44.253667665|2025-05-28 15:43:44.253823937|77ed82e8-7959-42cc-b2be-451a1bf8b330||2|2.xxxxxxxxxx=|xxxxxxxxx||||||| f2d01aa8-1be1-45fe-b6f6-1ecc1e1f9e4e|2025-05-28 15:40:12.877257236|2025-05-28 15:40:12.877445537|77ed82e8-7959-42cc-b2be-451a1bf8b330||2|2.xxxxxxxxxx=|xxxxxxxxx||||||| b0c34a74-6fc5-4b2c-a061-5d57f1e6ca85|2025-05-28 15:40:03.210629901|2025-05-28 15:40:03.210821117|77ed82e8-7959-42cc-b2be-451a1bf8b330||2|2.xxxxxxxxxx=|xxxxxxxxx||||||| sqlite> ```
GiteaMirror commented 2026-04-23 07:07:15 -05:00
Author
Owner
Copy Link

@uedvt359 commented on GitHub (Jan 22, 2026):

so do I, with 1.35.2:

vaultwarden=# select * from ciphers where data = '' order by created_at desc limit 2;
                 uuid                 |         created_at         |         updated_at         |              user_uuid               | organization_uuid | atype |                                                         name                                                         | notes | fields | data | password_history | deleted_at | reprompt | key
--------------------------------------+----------------------------+----------------------------+--------------------------------------+-------------------+-------+----------------------------------------------------------------------------------------------------------------------+-------+--------+------+------------------+------------+----------+-----
 6c014051-121b-41d5-8882-1019f62ebef0 | 2026-01-15 16:24:59.364536 | 2026-01-15 16:24:59.365405 | 4932c98b-520a-4411-97ed-39a6751ffae1 |                   |     1 | 2.xxxxxxxxxxxxxxxxxxxxxx==|xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=                     |       |        |      |                  |            |          |
 4b4727a9-0eb0-463b-a894-fe0e2060c39a | 2026-01-15 16:24:58.760252 | 2026-01-15 16:24:58.795561 | 4932c98b-520a-4411-97ed-39a6751ffae1 |                   |     1 | 2.xxxxxxxxxxxxxxxxxxxxxx==|xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= |       |        |      |                  |            |          |
(2 rows)

vaultwarden=#
<!-- gh-comment-id:3783418140 --> @uedvt359 commented on GitHub (Jan 22, 2026): so do I, with 1.35.2: ``` vaultwarden=# select * from ciphers where data = '' order by created_at desc limit 2; uuid | created_at | updated_at | user_uuid | organization_uuid | atype | name | notes | fields | data | password_history | deleted_at | reprompt | key --------------------------------------+----------------------------+----------------------------+--------------------------------------+-------------------+-------+----------------------------------------------------------------------------------------------------------------------+-------+--------+------+------------------+------------+----------+----- 6c014051-121b-41d5-8882-1019f62ebef0 | 2026-01-15 16:24:59.364536 | 2026-01-15 16:24:59.365405 | 4932c98b-520a-4411-97ed-39a6751ffae1 | | 1 | 2.xxxxxxxxxxxxxxxxxxxxxx==|xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= | | | | | | | 4b4727a9-0eb0-463b-a894-fe0e2060c39a | 2026-01-15 16:24:58.760252 | 2026-01-15 16:24:58.795561 | 4932c98b-520a-4411-97ed-39a6751ffae1 | | 1 | 2.xxxxxxxxxxxxxxxxxxxxxx==|xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= | | | | | | | (2 rows) vaultwarden=# ```
GiteaMirror commented 2026-04-23 07:07:15 -05:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Jan 22, 2026):

I tested the script, and it works just fine.

If you provide invalid encrypted values, than all the clients are not able to decrypt those, and will error.
I'm not sure what you expect from us for this? We can't validate these values, nor will we ever do that.

So. just provide a valid encrypted cipher and all will work just fine.

<!-- gh-comment-id:3784844627 --> @BlackDex commented on GitHub (Jan 22, 2026): I tested the script, and it works just fine. If you provide invalid encrypted values, than all the clients are not able to decrypt those, and will error. I'm not sure what you expect from us for this? We can't validate these values, nor will we ever do that. So. just provide a valid encrypted cipher and all will work just fine.
GiteaMirror commented 2026-04-23 07:07:16 -05:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Jan 22, 2026):

Also, i did also test a user which does not have access to the collection to write, but only read, and it is blocked from adding a cipher, so that works without issues.

<!-- gh-comment-id:3784954786 --> @BlackDex commented on GitHub (Jan 22, 2026): Also, i did also test a user which does not have access to the collection to write, but only read, and it is blocked from adding a cipher, so that works without issues.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#15258
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?