mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-16 08:54:01 -05:00
[PR #7165] [CLOSED] fix: the admin api endpoint in src/api/admin in admin.rs #31551
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/dani-garcia/vaultwarden/pull/7165
Author: @orbisai0security
Created: 4/30/2026
Status: ❌ Closed
Base:
main← Head:fix-admin-token-minimum-entropy-enforcement📝 Commits (1)
ccb8d12fix: V-001 security vulnerability📊 Changes
1 file changed (+4 additions, -1 deletions)
View changed files
📝
src/config.rs(+4 -1)📄 Description
Summary
Fix critical severity security issue in
src/api/admin.rs.Vulnerability
V-001src/api/admin.rs:157Description: The admin API endpoint in src/api/admin.rs processes JSON requests and relies on a static ADMIN_TOKEN for authentication. There is no confirmed enforcement of minimum token entropy at application startup, no rate limiting on authentication attempts, and no account lockout mechanism. An attacker with network access to the admin interface port can attempt to brute-force or guess weak tokens — including common defaults such as empty strings, 'admin', or 'password' — to gain full administrative control over the vault server.
Changes
src/config.rsVerification
Automated security fix by OrbisAI Security
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.