WebUI Security: Session still valid after reset password but before restart qBittorrent #14255

New issue

Open

opened 2026-02-22 00:51:28 -05:00 by deekerman · 0 comments

deekerman commented

2026-02-22 00:51:28 -05:00

Owner

Originally created by @Ghost-chu on GitHub (Jan 23, 2023).

qBittorrent & operating system versions

qBittorrent v4.5.0 Web UI (64-bit)
Qt: 6.4.1
Libtorrent: 1.2.18.0
Boost: 1.80.0
OpenSSL: 3.0.7
zlib: 1.2.12.zlib-ng

What is the problem?

qBittorrent does not log off existing sessions when users change their WebUI password (or username), or uncheck the bypass local auth checkbox.

This can be a security risk, as when an attacker logs into the WebUI once, they only need to find a way to keep the operation active, and qBittorrent will extend the session validity for that session.
Even when the user changes the user and password, these sessions are not logged out unless the user restarts qBittorrent.

For Windows hosts, this does not seem to be a problem. But for qBittorrent running on a NAS or Linux server, these devices don't reboot very often, and these users do their best to avoid rebooting qBittorrent to avoid enjoying a slow file checksum.

Also, sessions are not bound to IP addresses.
This means that if the SID is leaked, it can be exploited by an attacker in another location.

Steps to reproduce

Login your qBittorrent in a In-private browser window.
Login your qBittorrent in a normal browser window.
Modify your qBittorrent username and password; Also uncheck Bypass authentication for clients on localhost and Bypass authentication for clients in whitelisted IP subnets to avoid affecting the experimental results.
Click Save to apply password and setting changes.
Re-fresh your In-private browser window, it still keep logged in status.

Check and copy your SID value by press F12, Application -> Cookie -> <YOUR_HOST>
Connect to your remote host, open your qBittorrent instance
In Login page, press F12, Console, and execute javascript:

document.cookie = "SID=<YOUR_SID>"

Press Enter to write cookie value, then re-fresh login page, now you're able continue session in a different machine for full control.
Restart your qBittorrent, now all session are revoked. You're safe now!

Additional context

This report was translated using DeepL, my English is not good, if you have any questions please reply below and I will add them.

Log(s) & preferences file(s)

qBittorrent.conf -> https://paste.gg/p/anonymous/bd4bf3315c8340db8e7ab819ef2a8f90
qBittorrent.log (cutted) -> https://paste.gg/p/anonymous/1cc427f3156f43ffb9c7edfd350b8ce2

NOTE: There is nothing useful in logs, but you can see that there are no multiple times of login.

Originally created by @Ghost-chu on GitHub (Jan 23, 2023). ### qBittorrent & operating system versions qBittorrent v4.5.0 Web UI (64-bit) Qt: 6.4.1 Libtorrent: 1.2.18.0 Boost: 1.80.0 OpenSSL: 3.0.7 zlib: 1.2.12.zlib-ng ### What is the problem? qBittorrent does not log off existing sessions when users change their WebUI password (or username), or uncheck the bypass local auth checkbox. This can be a security risk, as when an attacker logs into the WebUI once, they only need to find a way to keep the operation active, and qBittorrent will extend the session validity for that session. Even when the user changes the user and password, these sessions are not logged out unless the user restarts qBittorrent. For Windows hosts, this does not seem to be a problem. But for qBittorrent running on a NAS or Linux server, these devices don't reboot very often, and these users do their best to avoid rebooting qBittorrent to avoid enjoying a slow file checksum. Also, sessions are not bound to IP addresses. This means that if the SID is leaked, it can be exploited by an attacker in another location. ### Steps to reproduce 1. Login your qBittorrent in a In-private browser window. 2. Login your qBittorrent in a normal browser window. 3. Modify your qBittorrent username and password; Also uncheck `Bypass authentication for clients on localhost` and `Bypass authentication for clients in whitelisted IP subnets` to avoid affecting the experimental results. 4. Click `Save` to apply password and setting changes. 5. Re-fresh your In-private browser window, it still keep logged in status. --- 7. Check and copy your `SID` value by press `F12`, `Application -> Cookie -> <YOUR_HOST>` 8. Connect to your remote host, open your qBittorrent instance 9. In `Login` page, press `F12`, `Console`, and execute javascript: ```javascript document.cookie = "SID=<YOUR_SID>" ``` 10. Press `Enter` to write cookie value, then re-fresh login page, now you're able continue session in a different machine for full control. 11. Restart your qBittorrent, now all session are revoked. You're safe now! ### Additional context This report was translated using DeepL, my English is not good, if you have any questions please reply below and I will add them. ### Log(s) & preferences file(s) qBittorrent.conf -> https://paste.gg/p/anonymous/bd4bf3315c8340db8e7ab819ef2a8f90 qBittorrent.log (cutted) -> https://paste.gg/p/anonymous/1cc427f3156f43ffb9c7edfd350b8ce2 NOTE: There is nothing useful in logs, but you can see that there are no multiple times of login.