[GH-ISSUE #5036] [BUG]: Single-user password with # character silently corrupted during onboarding #3157

Closed
opened 2026-02-22 18:32:50 -05:00 by yindo · 0 comments
Owner

Originally created by @angelplusultra on GitHub (Feb 20, 2026).
Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/5036

Originally assigned to: @angelplusultra on GitHub.

How are you running AnythingLLM?

Docker (remote machine)

What happened?

The onboarding password form for single-user mode does not validate password characters, unlike the Security settings page. Passwords containing # are silently truncated when written to the .env file, leaving the instance completely unprotected.

The sanitizeValue() function in server/utils/helpers/updateENV.js strips # and everything after it (since # starts comments in .env files), so a password like Password123!@# becomes Password123!@ on disk. After a server restart, AUTH_TOKEN loads the truncated value and auth breaks entirely.

The Security settings page already validates against this with PW_REGEX = /^[a-zA-Z0-9_\-!@$%^&*();]+$/, but the onboarding form is missing this check.

Are there known steps to reproduce?

  1. Go to onboarding
  2. When it asks who the instance is for, choose "Just myself"
  3. Choose to set up a password
  4. Enter a password with a # character such as Password123!@#
  5. Navigate to home
  6. Go to Settings > Security
  7. Notice password mode is disabled
  8. Navigate home
  9. Click avatar and logout — notice how it doesn't redirect you to login. The instance is fully exposed even though it looked like it was protected.
Originally created by @angelplusultra on GitHub (Feb 20, 2026). Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/5036 Originally assigned to: @angelplusultra on GitHub. ### How are you running AnythingLLM? Docker (remote machine) ### What happened? The onboarding password form for single-user mode does not validate password characters, unlike the Security settings page. Passwords containing `#` are silently truncated when written to the `.env` file, leaving the instance completely unprotected. The `sanitizeValue()` function in `server/utils/helpers/updateENV.js` strips `#` and everything after it (since `#` starts comments in `.env` files), so a password like `Password123!@#` becomes `Password123!@` on disk. After a server restart, `AUTH_TOKEN` loads the truncated value and auth breaks entirely. The Security settings page already validates against this with `PW_REGEX = /^[a-zA-Z0-9_\-!@$%^&*();]+$/`, but the onboarding form is missing this check. ### Are there known steps to reproduce? 1. Go to onboarding 2. When it asks who the instance is for, choose "Just myself" 3. Choose to set up a password 4. Enter a password with a `#` character such as `Password123!@#` 5. Navigate to home 6. Go to Settings > Security 7. Notice password mode is disabled 8. Navigate home 9. Click avatar and logout — notice how it doesn't redirect you to login. The instance is fully exposed even though it looked like it was protected.
yindo added the possible bug label 2026-02-22 18:32:50 -05:00
yindo changed title from [BUG]: Single-user password with # character silently corrupted during onboarding to [GH-ISSUE #5036] [BUG]: Single-user password with # character silently corrupted during onboarding 2026-06-05 14:50:39 -04:00
yindo closed this issue 2026-06-05 14:50:39 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#3157