401 in Webportal after updating to latest version

het · May 21, 2026, 2:21am

After updating to latest version (docker compose pull)
The login to the web ui is not possible anymore.

Response body of login request:

26.0.0<gsad_response>Token missing or bad. Please login again.</gsad_response>

I also tried setup-and-start-greenbone-community-edition.sh

Resetting the password with gvmd --user=admin --new-password=new_password was sucessful, but did not have any effect. The erros stays the same.

Also other accounts than admin return 401 codes.

In the docker logs I found:

pg-gvm-1 | 2026-05-20 09:09:54.374 UTC [89] LOG: checkpoint complete: wrote 2015 buffers (12.3%); 0 WAL file(s) added, 8 removed, 3 recycled; write=0.027 s, sync=0.006 s, total=0.077 s; sync files=73, longest=0.003 s, average=0.001 s; distance=184063 kB, estimate=410539 kB; lsn=27/8B3DF008, redo lsn=27/8B3DF008
gvmd-1 | Failed to create user: Invalid characters in user name
gvmd-1 | md main:MESSAGE:2026-05-20 09h07.44 utc:87: Greenbone Vulnerability Manager version 26.27.0 (DB revision 274)
gvmd-1 | md manage: INFO:2026-05-20 09h07.44 utc:87: Getting users.
gvmd-1 | md main:MESSAGE:2026-05-20 09h07.45 utc:90: Greenbone Vulnerability Manager version 26.27.0 (DB revision 274)
gvmd-1 | md manage: INFO:2026-05-20 09h07.45 utc:90: Modifying setting.

Later again:

gvmd-1 | md main:MESSAGE:2026-05-20 09h10.56 utc:73: Greenbone Vulnerability Manager version 26.27.0 (DB revision 274)
gvmd-1 | md manage: INFO:2026-05-20 09h10.56 utc:73: Creating user.
gvmd-1 | md manage:WARNING:2026-05-20 09h11.03 utc:73: Invalid characters in user name!
gvmd-1 | Failed to create user: Invalid characters in user name
gvmd-1 | md main:MESSAGE:2026-05-20 09h11.03 utc:83: Greenbone Vulnerability Manager version 26.27.0 (DB revision 274)
gvmd-1 | md manage: INFO:2026-05-20 09h11.03 utc:83: Getting users.
gvmd-1 | md main:MESSAGE:2026-05-20 09h11.03 utc:86: Greenbone Vulnerability Manager version 26.27.0 (DB revision 274)
gvmd-1 | md manage: INFO:2026-05-20 09h11.03 utc:86: Modifying setting.

sinese · May 24, 2026, 2:29pm

Hi,

I had the same issue. It was because I used a custom nginx config. I had to add some parameters on nginx `default.conf`

@@ -15,11 +17,20 @@
   server_name openvas.fdqn;
 
   include /etc/nginx/conf.d/headers.conf;
-  error_log  /var/log/nginx/error.log debug;
+
   ssl_certificate /etc/nginx/certs/server.cert.pem;
   ssl_certificate_key /etc/nginx/certs/server.key;
 
-  location ~ ^/(gmp|system_report|logout) {
+  location ~ ^/(gmp|system_report|logout|login) {
+    # Handle preflight requests
+    if ($request_method = OPTIONS) {
+          add_header Access-Control-Allow-Origin "https://openvas.fdqn:443" always;
+          add_header Access-Control-Allow-Credentials "true" always;
+          add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
+          add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;
+          add_header Content-Length 0 always;
+          return 204;
+    }
     proxy_pass http://gsad;
     proxy_hide_header Access-Control-Allow-Origin;
     proxy_hide_header Content-Security-Policy;
```