Excessive requests to /api/tasks (IP ban) #231

New Issue

MrUnknownDE · 2026-04-05T20:40:55+02:00

MrUnknownDE commented

2026-04-05 20:40:55 +02:00

Originally created by @nathgoat on 12/17/2025

Prerequisites

I have searched the existing Closed AND Open Issues AND Discussions
I have searched and read the documentation

Vaultwarden Support String

I am using Vaultwarden and my server eventually bans my client IP due to excessive requests.

This happens:

with the browser extension
and also with the desktop application
So it does not appear to be extension-specific.

Observed behavior:

Everything works normally at first
After some time, the client repeatedly sends requests to /api/tasks
The server responds with 404
Requests continue and trigger an IP ban

Error seen in server logs:

[17/Dec/2025:08:39:27 +0100] - 404 404 - GET https domain.tld "/api/tasks" [Client X.X.X.X] [Length 677] [Gzip 2.41] [Sent-to X.X.X.X] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36" "-"

Scope:

Currently affecting 2 users
Other users on the same Vaultwarden instance are not affected so far

Expected behavior:

The client should not retry indefinitely after 404 responses
Normal usage should not result in IP bans

Vaultwarden Build Version

2025.12.0

Deployment method

Official Container Image

Custom deployment method

Yes. Vaultwarden is deployed using Docker behind a reverse proxy with rate limiting enabled.
No other custom modifications have been applied to Vaultwarden itself.

Reverse Proxy

.

Host/Server Operating System

Linux

Operating System Version

Debian 12

Clients

Browser Extension

Client Version

Edge 143.0.3650.80

Steps To Reproduce

Install and use Vaultwarden normally (extension or desktop app)
Log in and access the vault
Leave the client running for some time
Observe repeated GET requests to /api/tasks returning 404
Client IP eventually gets banned by server-side protections

Expected Result

The client should not repeatedly retry after persistent 404 responses, and normal usage should not trigger IP bans.

Actual Result

The client continuously sends requests to /api/tasks returning 404, triggering rate limiting and an IP ban.

Logs

[17/Dec/2025:08:39:27 +0100] - 404 404 - GET https domain.tld "/api/tasks" [Client X.X.X.X] [Length 677] [Gzip 2.41] [Sent-to X.X.X.X] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36" "-"

Screenshots or Videos

Additional Context

No response

*Originally created by @nathgoat on 12/17/2025* ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String I am using Vaultwarden and my server eventually bans my client IP due to excessive requests. This happens: - with the browser extension - and also with the desktop application So it does not appear to be extension-specific. Observed behavior: - Everything works normally at first - After some time, the client repeatedly sends requests to /api/tasks - The server responds with 404 - Requests continue and trigger an IP ban Error seen in server logs: ------------------------------------------------------------------------- [17/Dec/2025:08:39:27 +0100] - 404 404 - GET https domain.tld "/api/tasks" [Client X.X.X.X] [Length 677] [Gzip 2.41] [Sent-to X.X.X.X] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36" "-" ------------------------------------------------------------------------- Scope: - Currently affecting 2 users - Other users on the same Vaultwarden instance are not affected so far Expected behavior: - The client should not retry indefinitely after 404 responses - Normal usage should not result in IP bans ### Vaultwarden Build Version 2025.12.0 ### Deployment method Official Container Image ### Custom deployment method Yes. Vaultwarden is deployed using Docker behind a reverse proxy with rate limiting enabled. No other custom modifications have been applied to Vaultwarden itself. ### Reverse Proxy . ### Host/Server Operating System Linux ### Operating System Version Debian 12 ### Clients Browser Extension ### Client Version Edge 143.0.3650.80 ### Steps To Reproduce Install and use Vaultwarden normally (extension or desktop app) Log in and access the vault Leave the client running for some time Observe repeated GET requests to /api/tasks returning 404 Client IP eventually gets banned by server-side protections ### Expected Result The client should not repeatedly retry after persistent 404 responses, and normal usage should not trigger IP bans. ### Actual Result The client continuously sends requests to /api/tasks returning 404, triggering rate limiting and an IP ban. ### Logs ```text [17/Dec/2025:08:39:27 +0100] - 404 404 - GET https domain.tld "/api/tasks" [Client X.X.X.X] [Length 677] [Gzip 2.41] [Sent-to X.X.X.X] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36" "-" ``` ### Screenshots or Videos ### Additional Context _No response_

MrUnknownDE closed this issue

2026-04-05 20:40:55 +02:00

Sign in to join this conversation.

No Label bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#231