[GH-ISSUE #6565] Excessive requests to /api/tasks (IP ban) #19243

New Issue

Closed

opened 2026-04-25 21:45:21 -05:00 by GiteaMirror · 2 comments

GiteaMirror commented 2026-04-25 21:45:21 -05:00

Owner

Copy Link

Originally created by @nathgoat on GitHub (Dec 17, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6565

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

I am using Vaultwarden and my server eventually bans my client IP due to excessive requests.

This happens:

• with the browser extension
• and also with the desktop application
  So it does not appear to be extension-specific.

Observed behavior:

• Everything works normally at first
• After some time, the client repeatedly sends requests to /api/tasks
• The server responds with 404
• Requests continue and trigger an IP ban

Error seen in server logs:

[17/Dec/2025:08:39:27 +0100] - 404 404 - GET https domain.tld "/api/tasks" [Client X.X.X.X] [Length 677] [Gzip 2.41] [Sent-to X.X.X.X] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36" "-"

Scope:

• Currently affecting 2 users
• Other users on the same Vaultwarden instance are not affected so far

Expected behavior:

• The client should not retry indefinitely after 404 responses
• Normal usage should not result in IP bans

Vaultwarden Build Version

2025.12.0

Deployment method

Official Container Image

Custom deployment method

Yes. Vaultwarden is deployed using Docker behind a reverse proxy with rate limiting enabled.
No other custom modifications have been applied to Vaultwarden itself.

Reverse Proxy

.

Host/Server Operating System

Linux

Operating System Version

Debian 12

Clients

Browser Extension

Client Version

Edge 143.0.3650.80

Steps To Reproduce

Install and use Vaultwarden normally (extension or desktop app)
Log in and access the vault
Leave the client running for some time
Observe repeated GET requests to /api/tasks returning 404
Client IP eventually gets banned by server-side protections

Expected Result

The client should not repeatedly retry after persistent 404 responses, and normal usage should not trigger IP bans.

Actual Result

The client continuously sends requests to /api/tasks returning 404, triggering rate limiting and an IP ban.

Logs

[17/Dec/2025:08:39:27 +0100] - 404 404 - GET https domain.tld "/api/tasks" [Client X.X.X.X] [Length 677] [Gzip 2.41] [Sent-to X.X.X.X] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36" "-"

Screenshots or Videos

Additional Context

No response

Originally created by @nathgoat on GitHub (Dec 17, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6565 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String I am using Vaultwarden and my server eventually bans my client IP due to excessive requests. This happens: - with the browser extension - and also with the desktop application So it does not appear to be extension-specific. Observed behavior: - Everything works normally at first - After some time, the client repeatedly sends requests to /api/tasks - The server responds with 404 - Requests continue and trigger an IP ban Error seen in server logs: ------------------------------------------------------------------------- [17/Dec/2025:08:39:27 +0100] - 404 404 - GET https domain.tld "/api/tasks" [Client X.X.X.X] [Length 677] [Gzip 2.41] [Sent-to X.X.X.X] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36" "-" ------------------------------------------------------------------------- Scope: - Currently affecting 2 users - Other users on the same Vaultwarden instance are not affected so far Expected behavior: - The client should not retry indefinitely after 404 responses - Normal usage should not result in IP bans ### Vaultwarden Build Version 2025.12.0 ### Deployment method Official Container Image ### Custom deployment method Yes. Vaultwarden is deployed using Docker behind a reverse proxy with rate limiting enabled. No other custom modifications have been applied to Vaultwarden itself. ### Reverse Proxy . ### Host/Server Operating System Linux ### Operating System Version Debian 12 ### Clients Browser Extension ### Client Version Edge 143.0.3650.80 ### Steps To Reproduce Install and use Vaultwarden normally (extension or desktop app) Log in and access the vault Leave the client running for some time Observe repeated GET requests to /api/tasks returning 404 Client IP eventually gets banned by server-side protections ### Expected Result The client should not repeatedly retry after persistent 404 responses, and normal usage should not trigger IP bans. ### Actual Result The client continuously sends requests to /api/tasks returning 404, triggering rate limiting and an IP ban. ### Logs ```text [17/Dec/2025:08:39:27 +0100] - 404 404 - GET https domain.tld "/api/tasks" [Client X.X.X.X] [Length 677] [Gzip 2.41] [Sent-to X.X.X.X] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36" "-" ``` ### Screenshots or Videos ### Additional Context _No response_

GiteaMirror added the bug label 2026-04-25 21:45:21 -05:00

GiteaMirror closed this issue 2026-04-25 21:45:22 -05:00

GiteaMirror commented 2026-04-25 21:45:22 -05:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub (Dec 17, 2025):

That endpoint was added already in #6557 and is available in the current testing image. If you don't want to use that you should downgrade your clients until there's a new release.

<!-- gh-comment-id:3664929401 --> @stefan0xC commented on GitHub (Dec 17, 2025): That endpoint was added already in #6557 and is available in the current `testing` image. If you don't want to use that you should downgrade your clients until there's a new release.

GiteaMirror commented 2026-04-25 21:45:23 -05:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Dec 17, 2025):

Closing as resolved via #6557

<!-- gh-comment-id:3665392281 --> @BlackDex commented on GitHub (Dec 17, 2025): Closing as resolved via #6557

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.36.0

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#19243