I’m running vaultwarden/server:1.35.4 via docker and I enabled the admin panel ADMIN_TOKEN to configure SMTP. After I was done, I commented out the ADMIN_TOKEN line in docker_compose.yaml,ran docker compose down and docker compose up -d and after that I was still able to hard refresh the admin panel and access it without re-entering the token. After clicking log out, I was still able to re-enter the token and log back in. Is this a security bug? How can I ensure the admin panel is disabled during production? Thanks!
If you have configured SMTP via the /admin panel you probably have created a data/config.json that sets the ADMIN_TOKEN. So it’s not a bug but how the configuration system currently works.
Make sure an ADMIN_TOKEN is not configured (and also DISABLE_ADMIN_TOKEN is not set). Cf. Enabling admin page · dani-garcia/vaultwarden Wiki · GitHub
You can also add additional safeguards via a reverse proxy to e.g. deny all access to /admin.