Hashed admin token not replacing plain text token #1683

New Issue

MrUnknownDE · 2026-04-06T02:12:33+02:00

MrUnknownDE commented

2026-04-06 02:12:33 +02:00

Originally created by @tommyalatalo on 3/27/2023

Subject of the issue

After updating to 1.28.0 and hashing the admin token with argon2 I keep getting a notice in the startup logs:

[NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure.

It seems that the plain text admin token is stored in vaultwarden internally and is not being overwritten when replacing ADMIN_TOKEN with a hashed value.

Deployment environment

    ### Your environment (Generated via diagnostics page)
    * Vaultwarden version: v1.28.0
    * Web-vault version: v2023.3.0b
    * OS/Arch: linux/x86_64
    * Running within Docker: true (Base: Alpine)
    * Environment settings overridden: true
    * Uses a reverse proxy: true
    * IP Header check: true (X-Forwarded-For)
    * Internet access: true
    * Internet access via a proxy: false
    * DNS Check: true
    * Browser/Server Time Check: true
    * Server/NTP Time Check: true
    * Domain Configuration Check: true
    * HTTPS Check: true
    * Database type: PostgreSQL
    * Database version: PostgreSQL 9.6.24 on x86_64-pc-linux-musl, compiled by gcc (Alpine 10.3.1_git20211027) 10.3.1 20211027, 64-bit
    * Clients used: 
    * Reverse proxy and version: 
    * Other relevant information: 

**Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, SHOW_PASSWORD_HINT, ADMIN_TOKEN, IP_HEADER, DUO_IKEY, DUO_SKEY, DUO_HOST, SMTP_HOST, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD

Install method: Docker

Steps to reproduce

Set up Vaultwarden with plain text admin token
After Vaultwarden is up and running with plain text token, generate a hashed token with argon2
Change ADMIN_TOKEN to hashed token and restart Vaultwarden
Vaultwarden logs warning about using a plain text token with ADMIN_TOKEN set to a hashed token

Expected behaviour

Vaultwarden would take the hashed token and be happy, at least if the unhashed value is the actual password value.

Actual behaviour

Vaultwarden logs incorrect information about configured ADMIN_TOKEN values

*Originally created by @tommyalatalo on 3/27/2023* ### Subject of the issue After updating to 1.28.0 and hashing the admin token with argon2 I keep getting a notice in the startup logs: ``` [NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure. ``` It seems that the plain text admin token is stored in vaultwarden internally and is not being overwritten when replacing `ADMIN_TOKEN` with a hashed value. ### Deployment environment ``` ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.28.0 * Web-vault version: v2023.3.0b * OS/Arch: linux/x86_64 * Running within Docker: true (Base: Alpine) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: PostgreSQL * Database version: PostgreSQL 9.6.24 on x86_64-pc-linux-musl, compiled by gcc (Alpine 10.3.1_git20211027) 10.3.1 20211027, 64-bit * Clients used: * Reverse proxy and version: * Other relevant information: **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, SHOW_PASSWORD_HINT, ADMIN_TOKEN, IP_HEADER, DUO_IKEY, DUO_SKEY, DUO_HOST, SMTP_HOST, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD ````  * Install method: Docker ### Steps to reproduce  1. Set up Vaultwarden with plain text admin token 2. After Vaultwarden is up and running with plain text token, generate a hashed token with argon2 3. Change `ADMIN_TOKEN` to hashed token and restart Vaultwarden 4. Vaultwarden logs warning about using a plain text token with `ADMIN_TOKEN` set to a hashed token ### Expected behaviour Vaultwarden would take the hashed token and be happy, at least if the unhashed value is the actual password value. ### Actual behaviour Vaultwarden logs incorrect information about configured ADMIN_TOKEN values

MrUnknownDE closed this issue

2026-04-06 02:12:33 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1683