warn users if someone tries to re-register their email address #1965

New Issue

Closed

opened 2026-04-06 02:45:29 +02:00 by MrUnknownDE · 0 comments

MrUnknownDE commented 2026-04-06 02:45:29 +02:00

Owner

Copy Link

Originally created by @stefan0xC on 10/9/2022

When signup is enabled it's possible to check if a user already exists for an attacker by registration which (while not practical) makes it in principle possible to enumerate users that way.

I've already made a pull request #2799 which improves the situation a bit insofar that it would get rid of the more explicit "User already exists" error message but the security could be further improved by maybe rate-limiting the registration as well as simply sending the user a mail if someone tries to re-register their email address.

So my idea would be to change the currently redundant check 382e6107fe/src/api/core/accounts.rs (L103-L109) to something like

if !user.password_hash.is_empty() {
    if CONFIG.mail_enabled() {
        mail::send_registration_attempt_warning(&user.email, &ip, ...).await;
    }
    err!("Registration not allowed or user already exists")
}

*Originally created by @stefan0xC on 10/9/2022* When signup is enabled it's possible to check if a user already exists for an attacker by registration which (while not practical) makes it in principle possible to [enumerate users](https://www.hacksplaining.com/prevention/user-enumeration) that way. I've already made a pull request #2799 which improves the situation a bit insofar that it would get rid of the more explicit `"User already exists"` error message but the security could be further improved by maybe rate-limiting the registration as well as simply sending the user a mail if someone tries to re-register their email address. So my idea would be to change the currently redundant check https://github.com/dani-garcia/vaultwarden/blob/382e6107fe79c0828c7efeb1e05b81cf2a0f2572/src/api/core/accounts.rs#L103-L109 to something like ```rust if !user.password_hash.is_empty() { if CONFIG.mail_enabled() { mail::send_registration_attempt_warning(&user.email, &ip, ...).await; } err!("Registration not allowed or user already exists") } ```

MrUnknownDE closed this issue 2026-04-06 02:45:29 +02:00

MrUnknownDE added the enhancementlow priorityenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementenhancementlow prioritylow prioritylow prioritylow prioritylow prioritylow prioritylow prioritylow prioritylow prioritylow prioritylow prioritylow prioritylow prioritylow prioritylow prioritylow prioritylow prioritylow priority labels 2026-04-06 02:45:40 +02:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

SSO

SSO

SSO

SSO

SSO

SSO

SSO

SSO

SSO

SSO

SSO

SSO

SSO

SSO

SSO

SSO

SSO

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

Third party

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

better for forum

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

dependencies

dependencies

dependencies

dependencies

dependencies

dependencies

dependencies

dependencies

dependencies

dependencies

dependencies

documentation

documentation

documentation

documentation

documentation

duplicate

duplicate

duplicate

duplicate

duplicate

duplicate

duplicate

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

future Vault

future Vault

future Vault

future Vault

future Vault

future Vault

future Vault

good first issue

good first issue

good first issue

good first issue

good first issue

good first issue

good first issue

good first issue

good first issue

good first issue

good first issue

good first issue

good first issue

good first issue

good first issue

hacktoberfest-accepted

hacktoberfest-accepted

help wanted

help wanted

help wanted

help wanted

help wanted

help wanted

help wanted

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

low priority

notes

notes

question

question

question

question

question

question

question

question

question

question

question

question

question

question

question

question

question

question

question

question

question

question

question

question

question

question

question

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

troubleshooting

wontfix

wontfix

wontfix

wontfix

wontfix

wontfix

wontfix

wontfix

wontfix

wontfix

No Label enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority low priority

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

MrUnknownDE

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1965