Items in organization but not in collection - not showing in recent web vault or mobile #289

New Issue

AtHeartEngineer · 2025-07-08T08:45:30-04:00

AtHeartEngineer commented

2025-07-08 08:45:30 -04:00

Originally created by @nneul on 1/6/2025

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.32.7
Web-vault version: v2024.6.2c
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Database type: MySQL
Database version: 11.4.4-MariaDB
Environment settings overridden!: true
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "*****://***********************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*************************",
  "domain_origin": "*****://*************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": false,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Neulinger Consulting",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/vaultwarden.log",
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": 2000,
  "org_creation_users": "*******************",
  "org_events_enabled": true,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": true,
  "signups_allowed": false,
  "signups_domains_whitelist": "*************",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***********************",
  "smtp_from_name": "Neulinger Bitwarden",
  "smtp_host": "*****************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "******",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": 1000,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.32.7

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

apache

Host/Server Operating System

Linux

Operating System Version

Debian 12.8

Clients

Web Vault, Browser Extension, CLI

Client Version

v2024.12.4

Steps To Reproduce

Run older (latest instead of testing) version of server - find an item in an organization that is not mapped to a collection. (This seems like it shouldn't be possible/valid, but it is in the system.)
With newer client - try to find the item. No searches will return it.
Edit the item and add it to a collection.
Resync client
Now it will show up in searches

NOTE - It does not appear to be possible to create this situation - the UI prevents you from removing items from all collections, but if the situation already exists, it appears to present issues.

Upgrade to :testing
Now the item can't even be found in the web vault.

Expected Result

Since this appears to be a situation that isn't supposed to exist, I'm not sure the best solution. Two possibilities:

A) Highlight the entries/flagged in some way in the web UI as "missing collection"
B) Fix web vault behavior so they do show up
C) Transfer ownership out of organization to the user (this seems questionable from a security policy standpoint)
D) Spontaneously create a "Orphaned Items" collection with no users explicitly granted access - and automatically add any item found without a collection into the orphaned items collection. This option seems like the safest one, since it should result in no effective changes in access/etc.

Actual Result

Something about newer web vaults and clients is resulting in "item in an org missing a collection" being lost/inaccessible in new version of code.

Logs

No response

Screenshots or Videos

No response

Additional Context

MariaDB [vaultwarden]> select count(*) from ciphers where organization_uuid is not null and uuid not in (select cipher_uuid from ciphers_collections);
+----------+
| count(*) |
+----------+
|      180 |
+----------+
1 row in set (0.000 sec)

MariaDB [vaultwarden]> select count(*) from ciphers where organization_uuid is not null and uuid in (select cipher_uuid from ciphers_collections);
+----------+
| count(*) |
+----------+
|      551 |
+----------+
1 row in set (0.003 sec)

MariaDB [vaultwarden]> select count(*) from ciphers where organization_uuid is null and uuid in (select cipher_uuid from ciphers_collections);
+----------+
| count(*) |
+----------+
|        0 |
+----------+
1 row in set (0.003 sec)

MariaDB [vaultwarden]> select count(*) from ciphers where organization_uuid is null and uuid not in (select cipher_uuid from ciphers_collections);
+----------+
| count(*) |
+----------+
|     1451 |
+----------+
1 row in set (0.004 sec)

*Originally created by @nneul on 1/6/2025* ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.32.7 * Web-vault version: v2024.6.2c * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: MySQL * Database version: 11.4.4-MariaDB * Environment settings overridden!: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, ADMIN_TOKEN **Config:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "*****://***********************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*************************", "domain_origin": "*****://*************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": false, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Neulinger Consulting", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/data/vaultwarden.log", "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": 2000, "org_creation_users": "*******************", "org_events_enabled": true, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": true, "signups_allowed": false, "signups_domains_whitelist": "*************", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***********************", "smtp_from_name": "Neulinger Bitwarden", "smtp_host": "*****************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "******", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": 1000, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.32.7 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy apache ### Host/Server Operating System Linux ### Operating System Version Debian 12.8 ### Clients Web Vault, Browser Extension, CLI ### Client Version v2024.12.4 ### Steps To Reproduce 1. Run older (latest instead of testing) version of server - find an item in an organization that is not mapped to a collection. (This seems like it shouldn't be possible/valid, but it is in the system.) 2. With newer client - try to find the item. No searches will return it. 3. Edit the item and add it to a collection. 4. Resync client 5. Now it will show up in searches NOTE - It does not appear to be possible to _create_ this situation - the UI prevents you from removing items from all collections, but if the situation already exists, it appears to present issues. 6. Upgrade to :testing 7. Now the item can't even be found in the web vault. ### Expected Result Since this appears to be a situation that isn't supposed to exist, I'm not sure the best solution. Two possibilities: A) Highlight the entries/flagged in some way in the web UI as "missing collection" B) Fix web vault behavior so they do show up C) Transfer ownership out of organization to the user (this seems questionable from a security policy standpoint) D) Spontaneously create a "Orphaned Items" collection with no users explicitly granted access - and automatically add any item found without a collection into the orphaned items collection. This option seems like the safest one, since it should result in no effective changes in access/etc. ### Actual Result Something about newer web vaults and clients is resulting in "item in an org missing a collection" being lost/inaccessible in new version of code. ### Logs _No response_ ### Screenshots or Videos _No response_ ### Additional Context ``` MariaDB [vaultwarden]> select count(*) from ciphers where organization_uuid is not null and uuid not in (select cipher_uuid from ciphers_collections); +----------+ | count(*) | +----------+ | 180 | +----------+ 1 row in set (0.000 sec) MariaDB [vaultwarden]> select count(*) from ciphers where organization_uuid is not null and uuid in (select cipher_uuid from ciphers_collections); +----------+ | count(*) | +----------+ | 551 | +----------+ 1 row in set (0.003 sec) MariaDB [vaultwarden]> select count(*) from ciphers where organization_uuid is null and uuid in (select cipher_uuid from ciphers_collections); +----------+ | count(*) | +----------+ | 0 | +----------+ 1 row in set (0.003 sec) MariaDB [vaultwarden]> select count(*) from ciphers where organization_uuid is null and uuid not in (select cipher_uuid from ciphers_collections); +----------+ | count(*) | +----------+ | 1451 | +----------+ 1 row in set (0.004 sec) ```

AtHeartEngineer closed this issue

2025-07-08 08:45:30 -04:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#289