I’m posting this as a new thread because this issue needs visibility at the top of the forum, not buried in years-old threads with no resolution.
The Problem
When users forget their OnlyOffice Workspace password and their account email is hosted on the OnlyOffice Mail Server, password recovery is impossible:
- User clicks “Forgot Password”.
- Reset link is sent to their OnlyOffice mailbox.
- User cannot access that mailbox because they don’t know their password.
- Circular dependency. Complete productivity stop.
Admins have no ability to directly reset a user’s password. The only “workaround” is to change the user’s email address to an external address, send the reset link there, then change it back. This is absurd for a production system.
This Has Been Known For A Decade
- October 2015: GitHub Issue #29 on CommunityServer requested password reset without email dependency. GitHub · Where software is built
- August 2022: GitHub Issue #162 on Docker-CommunityServer described this exact circular dependency with internal mailboxes. Users forgetting password not able to reset it · Issue #162 · ONLYOFFICE/Docker-CommunityServer · GitHub
- July 2023: Forum thread “Easy way for portal admin to reset passwords for user” described the same problem. Easy way for portal admin to reset passwords for user
- August 2023: OnlyOffice staff member Alexandre responded: “We have discussed this case and we have started working on your suggestion (we are going to add a simple way reset users’ password by administration).”
It is now January 2026. This feature has not shipped. There have been no updates. The issue remains open.
Why This Is Critical
This is not a feature request. This is a fundamental authentication flow that every system since the 1990s has solved. The standard solutions are:
- Admin can directly set a user’s password
- Secondary/recovery email field
- Phone/SMS recovery
- Security questions
- Recovery codes
OnlyOffice has none of these. A single forgotten password creates a complete work stoppage requiring admin intervention with a hacky workaround, or direct database manipulation.
For any organization using OnlyOffice Mail Server as their primary email (which is a core advertised use case), this makes the platform operationally unusable without constant admin babysitting.
What I’m Asking For
- A direct answer on whether this is being worked on
- An estimated timeline
- If it’s not prioritized, an explanation of why a 10-year-old critical authentication gap is not being addressed
I need to make a decision about whether to continue investing in this platform or migrate to something else. I suspect many others are in the same position.