Server softlock after organization operations #1564

New Issue

MrUnknownDE · 2026-04-06T02:00:30+02:00

MrUnknownDE commented

2026-04-06 02:00:30 +02:00

Originally created by @Bert-Proesmans on 6/29/2023

Subject of the issue

The server doesn't execute operations anymore after manipulations on the organization vault. It's not possible to perform new logins, nor record creation/deletion/moves.

Deployment environment

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.28.1 (Docker image, latest as of today)
Web-vault version: v2023.3.0b
OS/Arch: linux/x86_64
Running within Docker: true (Base: Debian)
Environment settings overridden: false
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Database type: SQLite
Database version: 3.39.2
Clients used: web vault, browser extensions
Reverse proxy and version: Nginx Proxy Manager (nginx version: openresty/1.21.4.1)
MySQL/MariaDB or PostgreSQL version: SQLite (included in image)
Other relevant details: Websockets are used and proxied, < 5 connected users (browser extension)

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": true,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***********************",
  "domain_origin": "*****://***********************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": false,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": 365,
  "extended_logging": true,
  "helo_name": "******************",
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "\"***\"",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": 1048576,
  "org_creation_users": "***************************************,************************************",
  "org_events_enabled": true,
  "org_groups_enabled": false,
  "password_hints_allowed": false,
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": true,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "************************",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 1800,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "\"Login\"",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": false,
  "smtp_from": "******************************************",
  "smtp_from_name": "***",
  "smtp_host": "******************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "******************************************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": 20480,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Steps to reproduce

Create 2 users
Create organization
(bitwarden browser extension) Have both users create 4 records in individual vault
(web vault) Have both users simultaneously move their individual records to the organization vault, to the same or different collections
(web vault/all clients) Observe hang, if not, with the user where normal behavior is observed; remove the moved records in the organization vault

Expected behaviour

The selected individual records are present in the organization vault, and/or removed if step 5 has been conditionally executed.
No issues with login in/off and no issues with manipulations on the individual and organization vault.

Actual behaviour

The server softlocks; it's not possible to login, nor is it possible to perform any operations on the vault data.
The only thing left to do is close the web vault tabs.
The server recovers within 10 minutes, but I'm not sure in which capacity. The selected individual records are entirely or partially moved! Records that haven't been moved are still present in the respective users' individual vault.

Troubleshooting data

There are no warnings or errors reported anywhere, nothing in the browser console, nothing in the container logs.
The only thing I can add is that the server recovers and the vault is in a consistent state; the vault opens and there is no data loss.

*Originally created by @Bert-Proesmans on 6/29/2023*   ### Subject of the issue  The server doesn't execute operations anymore after manipulations on the organization vault. It's not possible to perform new logins, nor record creation/deletion/moves. ### Deployment environment  ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.28.1 (Docker image, latest as of today) * Web-vault version: v2023.3.0b * OS/Arch: linux/x86_64 * Running within Docker: true (Base: Debian) * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.39.2 * Clients used: web vault, browser extensions * Reverse proxy and version: Nginx Proxy Manager (nginx version: openresty/1.21.4.1) * MySQL/MariaDB or PostgreSQL version: SQLite (included in image) * Other relevant details: Websockets are used and proxied, < 5 connected users (browser extension) ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": true, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://***********************", "domain_origin": "*****://***********************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": false, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": 365, "extended_logging": true, "helo_name": "******************", "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "\"***\"", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": 1048576, "org_creation_users": "***************************************,************************************", "org_events_enabled": true, "org_groups_enabled": false, "password_hints_allowed": false, "password_iterations": 100000, "reload_templates": false, "require_device_email": true, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "************************", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 1800, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": "\"Login\"", "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": false, "smtp_from": "******************************************", "smtp_from_name": "***", "smtp_host": "******************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "******************************************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": 20480, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details>     ### Steps to reproduce  1. Create 2 users 2. Create organization 3. (bitwarden browser extension) Have both users create 4 records in individual vault 4. (web vault) Have both users simultaneously move their individual records to the organization vault, to the same or different collections 5. (web vault/all clients) Observe hang, if not, with the user where normal behavior is observed; remove the moved records in the organization vault ### Expected behaviour  The selected individual records are present in the organization vault, and/or removed if step 5 has been conditionally executed. No issues with login in/off and no issues with manipulations on the individual and organization vault. ### Actual behaviour  The server softlocks; it's not possible to login, nor is it possible to perform any operations on the vault data. The only thing left to do is close the web vault tabs. The server recovers within 10 minutes, but I'm not sure in which capacity. The selected individual records are entirely or **partially** moved! Records that haven't been moved are still present in the respective users' individual vault. ### Troubleshooting data  There are no warnings or errors reported anywhere, nothing in the browser console, nothing in the container logs. The only thing I can add is that the server recovers and the vault is in a consistent state; the vault opens and there is no data loss.

MrUnknownDE closed this issue

2026-04-06 02:00:30 +02:00

MrUnknownDE added the troubleshooting troubleshooting troubleshooting troubleshooting troubleshooting troubleshooting troubleshooting troubleshooting troubleshooting troubleshooting troubleshooting labels 2026-04-06 02:00:32 +02:00

Sign in to join this conversation.

No Label troubleshooting troubleshooting troubleshooting troubleshooting troubleshooting troubleshooting troubleshooting troubleshooting troubleshooting troubleshooting troubleshooting

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1564