Hashed admin token not replacing plain text token #5183

New Issue

Closed

opened 2026-03-07 20:16:00 -06:00 by GiteaMirror · 1 comment

GiteaMirror commented 2026-03-07 20:16:00 -06:00

Owner

Copy Link

Originally created by @tommyalatalo on GitHub (Mar 27, 2023).

Subject of the issue

After updating to 1.28.0 and hashing the admin token with argon2 I keep getting a notice in the startup logs:

[NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure.

It seems that the plain text admin token is stored in vaultwarden internally and is not being overwritten when replacing ADMIN_TOKEN with a hashed value.

Deployment environment

    ### Your environment (Generated via diagnostics page)
    * Vaultwarden version: v1.28.0
    * Web-vault version: v2023.3.0b
    * OS/Arch: linux/x86_64
    * Running within Docker: true (Base: Alpine)
    * Environment settings overridden: true
    * Uses a reverse proxy: true
    * IP Header check: true (X-Forwarded-For)
    * Internet access: true
    * Internet access via a proxy: false
    * DNS Check: true
    * Browser/Server Time Check: true
    * Server/NTP Time Check: true
    * Domain Configuration Check: true
    * HTTPS Check: true
    * Database type: PostgreSQL
    * Database version: PostgreSQL 9.6.24 on x86_64-pc-linux-musl, compiled by gcc (Alpine 10.3.1_git20211027) 10.3.1 20211027, 64-bit
    * Clients used: 
    * Reverse proxy and version: 
    * Other relevant information: 

**Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, SHOW_PASSWORD_HINT, ADMIN_TOKEN, IP_HEADER, DUO_IKEY, DUO_SKEY, DUO_HOST, SMTP_HOST, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD

• Install method: Docker

Steps to reproduce

1. Set up Vaultwarden with plain text admin token
2. After Vaultwarden is up and running with plain text token, generate a hashed token with argon2
3. Change ADMIN_TOKEN to hashed token and restart Vaultwarden
4. Vaultwarden logs warning about using a plain text token with ADMIN_TOKEN set to a hashed token

Expected behaviour

Vaultwarden would take the hashed token and be happy, at least if the unhashed value is the actual password value.

Actual behaviour

Vaultwarden logs incorrect information about configured ADMIN_TOKEN values

Originally created by @tommyalatalo on GitHub (Mar 27, 2023). ### Subject of the issue After updating to 1.28.0 and hashing the admin token with argon2 I keep getting a notice in the startup logs: ``` [NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure. ``` It seems that the plain text admin token is stored in vaultwarden internally and is not being overwritten when replacing `ADMIN_TOKEN` with a hashed value. ### Deployment environment ``` ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.28.0 * Web-vault version: v2023.3.0b * OS/Arch: linux/x86_64 * Running within Docker: true (Base: Alpine) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: PostgreSQL * Database version: PostgreSQL 9.6.24 on x86_64-pc-linux-musl, compiled by gcc (Alpine 10.3.1_git20211027) 10.3.1 20211027, 64-bit * Clients used: * Reverse proxy and version: * Other relevant information: **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, SHOW_PASSWORD_HINT, ADMIN_TOKEN, IP_HEADER, DUO_IKEY, DUO_SKEY, DUO_HOST, SMTP_HOST, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD ```` <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: Docker ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start vaultwarden? --> 1. Set up Vaultwarden with plain text admin token 2. After Vaultwarden is up and running with plain text token, generate a hashed token with argon2 3. Change `ADMIN_TOKEN` to hashed token and restart Vaultwarden 4. Vaultwarden logs warning about using a plain text token with `ADMIN_TOKEN` set to a hashed token ### Expected behaviour Vaultwarden would take the hashed token and be happy, at least if the unhashed value is the actual password value. ### Actual behaviour Vaultwarden logs incorrect information about configured ADMIN_TOKEN values

GiteaMirror closed this issue 2026-03-07 20:16:00 -06:00

GiteaMirror commented 2026-03-07 20:16:01 -06:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Mar 27, 2023):

You used the admin interface to save settings. This creates a config.json file which overrules all ENV variables.
As is stated both during startup and in the admin interface at the top.

Either login into the admin interface, and replace the token there and press save. Or make sure all changed settings are converted to ENV variables and remove the config.json.

@BlackDex commented on GitHub (Mar 27, 2023): You used the admin interface to save settings. This creates a `config.json` file which overrules all ENV variables. As is stated both during startup and in the admin interface at the top. Either login into the admin interface, and replace the token there and press save. Or make sure all changed settings are converted to ENV variables and remove the `config.json`.

GiteaMirror referenced this issue 2026-04-20 14:25:45 -05:00

[GH-ISSUE #5183] OTP code not accepted when login with device #10901

GiteaMirror referenced this issue 2026-04-23 06:42:08 -05:00

[GH-ISSUE #5183] OTP code not accepted when login with device #14878

GiteaMirror referenced this issue 2026-04-25 21:10:08 -05:00

[GH-ISSUE #5183] OTP code not accepted when login with device #18862

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.36.0

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#5183