All Versions
72
Latest Version
Avg Release Cycle
143 days
Latest Release
63 days ago

Changelog History
Page 1

  • v5.11.0 Changes

    April 10, 2026

    πŸš€ Passbolt 5.11.0 "Got To be Real" marks SCIM provisioning as production-ready following an external security audit by Cure53. This release also adds PingOne as a new SSO provider and introduces OAuth support for SMTP authentication with Microsoft Exchange Online, ahead of Microsoft's planned deprecation of basic authentication at the end of 2026.

    πŸ›  SCIM: audit fixes and general availability (Passbolt Pro)

    ⚑️ SCIM provisioning, introduced as beta in Passbolt 5.5.0, is now marked as stable. With SCIM, administrators can create, update, suspend, and delete users directly from their identity provider, without ever touching the Passbolt UI. Microsoft Entra ID and Okta have been tested and validated as supported providers.

    πŸš€ This milestone follows an external security audit conducted by Cure53, whose findings have been addressed across this and previous releases. The full report will be published shortly and made available to the community.

    πŸ‘ PingOne SSO support (Passbolt Pro)

    πŸš€ This release adds PingOne as a new SSO provider. Organisations using PingOne can now authenticate their users without leaving their existing identity infrastructure.

    πŸ‘ PingOne joins the list of supported SSO providers alongside Azure AD, AD FS, Google, and the generic OpenID Connect connector that supports providers such as Keycloak or other in-house identity systems.

    πŸ‘ SMTP OAuth support for Microsoft Exchange Online

    πŸš€ This release introduces OAuth 2.0 support for SMTP email delivery with Microsoft Exchange Online. Microsoft has announced that basic authentication for SMTP will be disabled by default at the end of 2026 (see Microsoft's updated deprecation timeline). Organisations using Exchange Online can start transitioning to OAuth now, ahead of the deadline.

    ⚑️ Safari update (beta)

    πŸš€ The Safari extension moves to its next milestone. While still in beta, organisations can now opt in by enabling a feature flag in the API configuration file or via environment variable. Once enabled, the browser extension becomes available through what will become the stable package on the Apple Store, allowing organisations to deploy it for all their users.

    πŸ‘€ Safari support is not yet fit for production use. For more details about the known limitations and risks, see the open beta announcement. We thank the community members participating in the TestFlight program for their continued feedback and encourage pioneers who are comfortable with the risk to enable it and share their experience.

    πŸ”Œ To enable safari beta from the environment variables, set the PASSBOLT_PLUGINS_SAFARI_ENABLED to true.

    πŸ”§ To enable safari beta from the passbolt.php configuration file.

    'passbolt' => [
  'plugins' => [
    'safari' => [
      'enabled' => true,
    ],
  ],
],

    Other changes

    πŸš€ This release adds autofill support for ProxMox, OVH, Supermicro IPMI, and several other websites. We continuously work to improve autofill coverage and the feedback from the community is invaluable. If you encounter a website where autofill does not work as expected, do not hesitate to file a bug report.

    πŸš€ As usual, the release is also packed with additional improvements and fixes. Check out the detailed logs to learn more.

    Conclusion

    πŸ‘ Many thanks to everyone who provided feedback, reported bugs, and contributed to making passbolt better!

    πŸ”„ Changelog

    βž• Added

    • πŸ‘ PB-49875 OAuth support for smtp authentication
    • PB-50158 Add a feature flag to enable/disable Safari availability on a Passbolt instance
    • PB-50199 As an admin I can contain my_group_user in POST /groups.json
    • PB-50646 Add Permissions-Policy header on the API response
    • PB-32992 [Pro] As a user I can use PingOne as single sign on provider
    • 🚚 PB-50524 [Pro] Move SCIM feature out of beta

    πŸ›  Fixed

    • PB-49323 As a user creating a resource, I should not get a 500 if the secret passed is not an array of secrets
    • PB-40266 Health-check issues on Ubuntu 24 when running while being in a directory without the +x permission bit for www-data user (GITHUB #571)
    • PB-50021 As a guest, I should not get a 500 on GET /users.json?contain[pending_account_recovery_request]=1
    • PB-49823 Fix misleading email notification footer
    • PB-50028 GITHUB - Fix GPG authentication nonce UUID validation using incorrect comparison operand (#592, #596)
    • PB-50121 Replace rand() with a static counter to generate unique bind-parameter placeholder (GITHUB #595)
    • 🌲 PB-50241 As a logged-in user I should not get a 500 when logging-in again
    • PB-49902 As a user I cannot create a v4 resource with v5 resource type
    • PB-49286 [Pro] PBL-15-009 WP4: Non-transactional group member operations (Low)
    • PB-49160 [Pro] PBL-15-012 WP1: Potential admin lockout via malicious IdP request (Low)
    • πŸ”€ PB-49159 [Pro] PBL-15-011 WP4: Lack of transaction wrapper in production sync (Low)
    • PB-49285 [Pro] PBL-15-008 WP4: ScimEntry uniqueness race condition (Medium)
    • PB-49284 [Pro] PBL-15-007 WP5: Potential DoS via pre-authentication GPG decryption (Low)
    • PB-49151 [Pro] PBL-15-003 WP3: Lack of bearer token expiry & revocation schemes (Medium)
    • PB-50646 - Add Permissions-Policy header on the API response

    πŸ‘Œ Improved

    • PB-50070 Align X-Frame-Options with CSP and add missing X-XSS-Protection header

    🚧 Maintenance

    • πŸ”Œ PB-50133 Align allowCsvFormat variable name in plugin config.php
    • πŸ”’ PB-50173 Fix composer security vulnerability advisory affecting phpseclib/phpseclib package (CVE-2026-32935)
    • 🍱 PB-49096 Remove unused MFA assets & pages served by the browser extension

  • v5.5.0 Changes

    September 15, 2025

    πŸš€ Release song: https://youtu.be/L3Wo8jcNrkQ

    πŸš€ Passbolt 5.5.0 is a feature release introducing encrypted metadata in zero-knowledge mode and SCIM provisioning (beta) for automated user management.

    πŸ“‡ Encrypted Metadata Zero-Knowledge Mode

    πŸ“‡ This mode is designed for organizations that prioritize privacy over server-side auditability. In this setup, the server never has access to the shared metadata private key.

    • Key distribution : When a new user joins, the server does not distribute the metadata key.
      πŸ‘‰ Administrators are notified by email and can review which users are missing the key in the Users & Groups workspace. Keys must then be shared manually.
    • πŸ‘‰ User experience : Until the key is received, the user’s actions are limited. Operations that depend on metadata, such as sharing a resource, moving a private item into a shared folder or creating resources intended to be shared are blocked.
    • πŸ’» Guidance in UI : If a restricted action is attempted, the interface provides an explanation and steps to resolve the issue.

    πŸ“‡ More details are available in the dedicated blog post on encrypted metadata and zero-knowledge.

    πŸ›  Several bugs reported by the community have also been fixed. As always, thank you to everyone who took the time to file issues and suggest improvements. Checkout the changelog for more information.

    [5.5.0] - 2025-09-15

    βž• Added

    • πŸ“‡ PB-44639 As an administrator, when updating metadata settings from friendly mode to zero knowledge, I should see the server key dropped in DB
    • πŸ“‡ PB-44756 Updates metadata keys settings endpoint to accept server metadata private key
    • πŸ“‡ PB-44752 Adds a new data check for existing resources v5 encrypted with hard or soft deleted shared metadata key

    πŸ›  Fixed

    • πŸ›  PB-45060 Fixes custom fields json schema properties type
    • PB-45062 Fixes user_setup_complete.php template in LU folder instead of AD
    • PB-44760 Fixes health check "record not found in table organization_settings" issue (GITHUB #563)

    🚧 Maintenance

    • PB-44915 Changes DDEV containers names and URLs from passbolt-ce-api to passbolt-api
    • ⚑️ PB-44813 Updates ddev config
    • βœ… PB-44772 Speeds up continuous integration by splitting pipelines in two distinct test suites

  • v3.7.3 Changes

    September 27, 2022

    πŸ”’ Security

    • PB-19090 Protect forms from spell-jacking attack

  • v3.7.2 Changes

    September 20, 2022

    πŸ›  Fixed

    • πŸ”§ PB-18380 Let passbolt-configure script setup certbot for RHEL9 support
    • PB-16983 Handles the lack of permissions on image directory when deleting
    • πŸ’» PB-16898 Redesign download a supported browser to get started

    πŸ‘Œ Improved

    • βœ… PB-18650 Add a check on mysql status in order to run mysql commands only when it's ready in unit tests
    • πŸ‘· PB-18664 Add retry logic to Gitlab CI jobs

  • v3.7.1 Changes

    August 10, 2022
    • PB-18381 Fix source language typos
    • PB-18397 Fix as an admin I can generate a server key with the webinstaller within an instance over http
    • PB-17096 Fix resouce_types name and slug postgresql compatibility
    • PB-18372 Bump styleguide version to 3.7.1

  • v3.7.0 Changes

    July 28, 2022

    βž• Added

    • PB-17098 Add rockylinux 9 support
    • PB-16751 Add Redhat 9 support
    • PB-16749 Add Ubuntu 22.04 support
    • PB-16950 Add Spanish and Lithuanian support
    • PB-14514 Add PHP8.0 support
    • PB-14514 Fix PHP8.1 compatibility issues
    • PB-16161 Create action log endpoint for user CRUD
    • PB-16844 Common part of the user recovery and setup audit log

    πŸ”’ Security

    • PB-17068 PBL-07-002 Fix key algorithm validation should be set to strict on setup
    • PB-17068 Fix OpenPGP unarmor should use base64_decode in strict mode
    • PB-17068 SEC-1292 Fix unsafe default recipient email address (Credit: Ashley Primo)

    πŸ›  Fixed

    • PB-16705 As group manager updating group memberships I should not get a timeout
    • PB-16949 As group manager deleting a group user the operation should not be slowed down by the folders plugin
    • PB-16705 As a group manager updating group memberships I should not get a timeout due to a plugin integration
    • PB-17068 Fix GroupsUsersValidatorTest psr-4 autoloading warning
    • PB-17007 As AD performing a cleanup of the missing folders relations I should not get a timeout
    • PB-16749 Fix jobs to reuse last job artifact instead of rebuilding it everytime
    • PB-16877 Fixes ClearMfaCookieOnSetupAndRecover for controllers without User component
    • PB-16666 GITHUB-432 Fix healthcheck style

    🚧 Maintenance

    • PB-17009 Replace createrepo by createrepo_c
    • PB-16956 Misc Fixture Factories refactoring
    • PB-16956 Modernize folders plugin bootstrap, add src/Plugin.php file
    • PB-16806 UacAwareMiddleware trait now return UAC exclusively. More typing in UAC object.
    • PB-16161 Renames ambiguous testing traits
    • PB-16161Add and enhance log related factories
    • PB-16791 Upgrade webinstaller openpgpjs to v5
    • PB-14514 Update to composer v2.2 + Fix CI jobs
    • PB-16657 Remove mariadb dependency
    • PB-16161 Refactor to split folder, resource and user related logic in respective classes

  • v3.6.0 Changes

    πŸ‘Œ Improved

    • πŸ”¨ PB-9739 OpenPGP key and message validation refactoring
    • PB-14141 Enhanced public/private key validation rules
    • PB-13685 Enhanced secret validation rules
    • πŸ”¨ PB-14138 Refactor setup and recover related controllers with dependency injection
    • PB-14510 Three trivial endpoints, such as GET on login are not logged anymore

    πŸ”’ Security

    • ⬆️ PB-14400 Upgrade firebase/php-jwt to 6.1

    πŸ›  Fixed

    • βœ… PB-14369 Fixes email settings issues in the test suite
    • PB-15046 Handle user lost-passphrase scenarios with API <= v3.5

    🚧 Maintenance

    • ⬆️ PB-14812 Upgrade cakephp/cakephp to 4.3

  • v3.5.0 Changes

    January 12, 2021

    βž• Added

    • PB-13161 As LU I should be able to use passbolt with my Android mobile
    • PB-13161 As LU I should be able to use passbolt with my IOS mobile
    • PB-5967 As AD I can use passbolt with a PostgreSQL database provider [experimental]
    • πŸ’» PB-5967 As AD I can migrate an existing instance to PostgreSQL with the help of the command line [experimental] and MySQL to Postgres migration tools, e.g. as described here: https://pgloader.readthedocs.io and here: https://pgloader.io/.
    • PB-8513 As LU I can request gpg keys using pagination
    • PB-13321 As a user I can use passbolt in Dutch
    • PB-13321 As a user I can use passbolt in Japanese
    • πŸ’… PB-13321 As a user I can use passbolt in Polish

    πŸ‘Œ Improved

    • PB-12817 As LU I can import avatars having a jpeg extension
    • πŸ‘€ PB-12943 As AD I should be able to see log when a user tries to sign-in with an invalid bearer token
    • 🐎 PB-12888 Improve performances of the operations requiring permissions accesses by replacing the single index on type by a combined index involving the requested columns
    • πŸ‘€ PB-13177 As AD I should be able to see any gpg keys errors from the healthcheck
    • PB-13183 As LU I should be able create resource having a name or a username of 255 characters long
    • PB-13265 As AD I can create a JWT key pair even if the database is not set
    • PB-13164 As AD I can cleanup duplicate entries in the favorites tables, groups_users and permissions

    πŸ”’ Security

    • PB-13217 PBL-06-011 Fix ACL on mobile transfer view controller

    πŸ›  Fixed

    • PB-9887 Fix as AD I can send email digest from the /bin/cron script
    • PB-12957 Fix multiple language issues reported by community
    • ⚑️ PB-12914 Fix as a group manager I should not get multiple notifications when a group is updated
    • πŸ‘€ PB-13158 As AD I should see a tip with proper directory permissions when the JWT assets healthcheck fails

    🚧 Maintenance

    • 🚚 PB-12835 Move users setup/recover/register controllers logic into services to welcome the upcoming account recovery feature

  • v3.4.0 Changes

    December 07, 2021

    βž• Added

    • PB-9826 As a user I want to use passbolt natively on Edge
    • πŸ‘€ PB-8371 As LU I want to see the login/MFA/recover/register screens in dark mode

    πŸ‘Œ Improvement

    • πŸ‘€ PB-8522 As LU I should see the MFA verify field having focus
    • PB-9730 As AD I should be able to check avatars read issues from the healthcheck

    πŸ›  Fix

    • πŸ‘€ PB-8932 Fix as LU I should see an animation when I successfully configured MFA
    • πŸ‘€ PB-9286 Fix as LU I should see the locale dropdown field of the setup/recover screen well positioned
    • πŸ‘€ PB-9397 Fix as AD I shouldn't see an error on the healthcheck if the JWT auth is disabled and I never configured it
    • PB-9114 Fix as lu I should be able to upload a transparent avatar in .png format.
    • PB-9750 Fix spelling mistakes reported by the community
    • PB-9762 Fix requesting /auth/login.json should not trigger an unexpected error
    • 🚚 PB-9888 Fix MFA & JWT refresh token issue, remove Bearer from the hashed session identifier
    • ⚑️ PB-12817 Fix as LU I should be able to update jpeg avatar

    πŸ”’ Security

    • PB-7374 As soft deleted but logged in user I should be forbidden to request the API
    • PB-9340 Fix email queue data should be stored and deserialized as json and not php

    🚧 Maintenance

    • πŸ”¨ PB-9311 Refactor JWT and MFA plugins for better code maintainability.
    • βœ… PB-8320 Implement the tests that are marked as incomplete for cleaner continuous integration test reports
    • PB-8211 Psalm set to level 4
    • PB-9726 Fix do not load cleanup tasks unless in CLI mode
    • βœ… PB-9753 Improve table fields validation tests, do not save entity when testing the validation of properties
    • 🚚 PB-9310 Move avatar file_storage logic into AvatarsTable
    • ⚑️ PB-9785 Update JWT healthcheck help messages
    • PB-9656 Migrate fields from utf8mb4 to a more performant encoding when possible

  • v3.3.1 Changes

    November 24, 2021

    πŸ”’ Security fixes

    • 0️⃣ PB-9820 / PBL-06-008 WP3: JWT key confusion leads to authentication bypass (High) [experimental][disabled by default]