[PR #7165] [CLOSED] fix: the admin api endpoint in src/api/admin in admin.rs #27473

Closed
opened 2026-06-15 14:46:55 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/7165
Author: @orbisai0security
Created: 4/30/2026
Status: Closed

Base: mainHead: fix-admin-token-minimum-entropy-enforcement


📝 Commits (1)

  • ccb8d12 fix: V-001 security vulnerability

📊 Changes

1 file changed (+4 additions, -1 deletions)

View changed files

📝 src/config.rs (+4 -1)

📄 Description

Summary

Fix critical severity security issue in src/api/admin.rs.

Vulnerability

Field Value
ID V-001
Severity CRITICAL
Scanner multi_agent_ai
Rule V-001
File src/api/admin.rs:157

Description: The admin API endpoint in src/api/admin.rs processes JSON requests and relies on a static ADMIN_TOKEN for authentication. There is no confirmed enforcement of minimum token entropy at application startup, no rate limiting on authentication attempts, and no account lockout mechanism. An attacker with network access to the admin interface port can attempt to brute-force or guess weak tokens — including common defaults such as empty strings, 'admin', or 'password' — to gain full administrative control over the vault server.

Changes

  • src/config.rs

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/7165 **Author:** [@orbisai0security](https://github.com/orbisai0security) **Created:** 4/30/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix-admin-token-minimum-entropy-enforcement` --- ### 📝 Commits (1) - [`ccb8d12`](https://github.com/dani-garcia/vaultwarden/commit/ccb8d1262846259f4e52d3cb103074603ebbfb17) fix: V-001 security vulnerability ### 📊 Changes **1 file changed** (+4 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `src/config.rs` (+4 -1) </details> ### 📄 Description ## Summary Fix critical severity security issue in `src/api/admin.rs`. ## Vulnerability | Field | Value | |-------|-------| | **ID** | V-001 | | **Severity** | CRITICAL | | **Scanner** | multi_agent_ai | | **Rule** | `V-001` | | **File** | `src/api/admin.rs:157` | **Description**: The admin API endpoint in src/api/admin.rs processes JSON requests and relies on a static ADMIN_TOKEN for authentication. There is no confirmed enforcement of minimum token entropy at application startup, no rate limiting on authentication attempts, and no account lockout mechanism. An attacker with network access to the admin interface port can attempt to brute-force or guess weak tokens — including common defaults such as empty strings, 'admin', or 'password' — to gain full administrative control over the vault server. ## Changes - `src/config.rs` ## Verification - [x] Build passes - [x] Scanner re-scan confirms fix - [x] LLM code review passed --- *Automated security fix by [OrbisAI Security](https://orbisappsec.com)* --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-06-15 14:46:55 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#27473