v5.11.0

Passbolt 5.11.0 "Got To be Real" marks SCIM provisioning as production-ready following an external security audit by Cure53. This release also adds PingOne as a new SSO provider and introduces OAuth support for SMTP authentication with Microsoft Exchange Online, ahead of Microsoft's planned deprecation of basic authentication at the end of 2026.

SCIM: audit fixes and general availability (Passbolt Pro)

SCIM provisioning, introduced as beta in Passbolt 5.5.0, is now marked as stable. With SCIM, administrators can create, update, suspend, and delete users directly from their identity provider, without ever touching the Passbolt UI. Microsoft Entra ID and Okta have been tested and validated as supported providers.

This milestone follows an external security audit conducted by Cure53, whose findings have been addressed across this and previous releases. The full report will be published shortly and made available to the community.

PingOne SSO support (Passbolt Pro)

This release adds PingOne as a new SSO provider. Organisations using PingOne can now authenticate their users without leaving their existing identity infrastructure.

PingOne joins the list of supported SSO providers alongside Azure AD, AD FS, Google, and the generic OpenID Connect connector that supports providers such as Keycloak or other in-house identity systems.

SMTP OAuth support for Microsoft Exchange Online

This release introduces OAuth 2.0 support for SMTP email delivery with Microsoft Exchange Online. Microsoft has announced that basic authentication for SMTP will be disabled by default at the end of 2026 (see Microsoft's updated deprecation timeline). Organisations using Exchange Online can start transitioning to OAuth now, ahead of the deadline.

Safari update (beta)

The Safari extension moves to its next milestone. While still in beta, organisations can now opt in by enabling a feature flag in the API configuration file or via environment variable. Once enabled, the browser extension becomes available through what will become the stable package on the Apple Store, allowing organisations to deploy it for all their users.

Safari support is not yet fit for production use. For more details about the known limitations and risks, see the open beta announcement. We thank the community members participating in the TestFlight program for their continued feedback and encourage pioneers who are comfortable with the risk to enable it and share their experience.

To enable safari beta from the environment variables, set the PASSBOLT_PLUGINS_SAFARI_ENABLED to true.

To enable safari beta from the passbolt.php configuration file.

'passbolt' => [
  'plugins' => [
    'safari' => [
      'enabled' => true,
    ],
  ],
],

Other changes

This release adds autofill support for ProxMox, OVH, Supermicro IPMI, and several other websites. We continuously work to improve autofill coverage and the feedback from the community is invaluable. If you encounter a website where autofill does not work as expected, do not hesitate to file a bug report.

As usual, the release is also packed with additional improvements and fixes. Check out the detailed logs to learn more.

Conclusion

Many thanks to everyone who provided feedback, reported bugs, and contributed to making passbolt better!

Changelog

Added

• PB-49875 OAuth support for smtp authentication
• PB-50158 Add a feature flag to enable/disable Safari availability on a Passbolt instance
• PB-50199 As an admin I can contain my_group_user in POST /groups.json
• PB-50646 Add Permissions-Policy header on the API response
• PB-32992 [Pro] As a user I can use PingOne as single sign on provider
• PB-50524 [Pro] Move SCIM feature out of beta

Fixed

• PB-49323 As a user creating a resource, I should not get a 500 if the secret passed is not an array of secrets
• PB-40266 Health-check issues on Ubuntu 24 when running while being in a directory without the +x permission bit for www-data user (GITHUB #571)
• PB-50021 As a guest, I should not get a 500 on GET /users.json?contain[pending_account_recovery_request]=1
• PB-49823 Fix misleading email notification footer
• PB-50028 GITHUB - Fix GPG authentication nonce UUID validation using incorrect comparison operand (#592, #596)
• PB-50121 Replace rand() with a static counter to generate unique bind-parameter placeholder (GITHUB #595)
• PB-50241 As a logged-in user I should not get a 500 when logging-in again
• PB-49902 As a user I cannot create a v4 resource with v5 resource type
• PB-49286 [Pro] PBL-15-009 WP4: Non-transactional group member operations (Low)
• PB-49160 [Pro] PBL-15-012 WP1: Potential admin lockout via malicious IdP request (Low)
• PB-49159 [Pro] PBL-15-011 WP4: Lack of transaction wrapper in production sync (Low)
• PB-49285 [Pro] PBL-15-008 WP4: ScimEntry uniqueness race condition (Medium)
• PB-49284 [Pro] PBL-15-007 WP5: Potential DoS via pre-authentication GPG decryption (Low)
• PB-49151 [Pro] PBL-15-003 WP3: Lack of bearer token expiry & revocation schemes (Medium)
• PB-50646 - Add Permissions-Policy header on the API response

Improved

• PB-50070 Align X-Frame-Options with CSP and add missing X-XSS-Protection header

Maintenance

• PB-50133 Align allowCsvFormat variable name in plugin config.php
• PB-50173 Fix composer security vulnerability advisory affecting phpseclib/phpseclib package (CVE-2026-32935)
• PB-49096 Remove unused MFA assets & pages served by the browser extension

You've Got the Love

Release song: https://www.youtube.com/watch?v=9Nv-WHmjN7s

Passbolt 5.10 “You've Got the Love” introduces the first Safari-compatible version of the Passbolt browser extension. The extension is currently available as a beta preview for testers who want to try it and provide feedback ahead of the stable release. This version also brings new productivity features such as TOTP autofill and tags visible in the grid, along with security hardening and performance improvements.

Safari beta support (TestFlight preview)

Passbolt 5.10 introduces the first Safari-compatible version of the Passbolt browser extension. The Safari extension is currently available as a build distributed through TestFlight via this public link for users who want to try it and provide feedback ahead of the stable release. The extension is currently distributed this way while work continues toward a stable Safari release.

Learn how to get started with the Safari beta in the dedicated guide.

TOTP autofill

Users can now autofill one-time passwords (TOTP) directly in login forms, similar to how usernames and passwords are autofilled.

When a webpage contains a TOTP field, Passbolt detects it and proposes relevant resources that contain a configured TOTP secret.
Users can then select the resource to fill the current one-time password directly into the form.

TOTP autofill can be triggered either from the in-form menu or from the Quick Access interface, allowing users to complete multi-factor authentication without manually copying codes between applications.

Tags visible in the grid (Passbolt Pro)

Tags are now displayed directly in the resources grid, making it easier to identify and filter resources without opening the resource details view.

A new tags column shows the tags associated with each resource. Tags are displayed in alphabetical order and remain clickable, allowing users to filter the workspace by selecting a tag directly from the grid.

When multiple tags exist, the grid displays as many as possible within the column width and indicates additional tags using a counter with a tooltip showing the remaining tags.

This update also modernises the tag codebase and lays the groundwork for further improvements to tagging capabilities.

Security improvements

Passbolt team is currently preparing its First Level Security Certification (CSPN) with the French National Cybersecurity Agency (ANSSI). This release includes some fixes following the CSPN pre-audit evaluation done in partnership with Quarkslab and an external audit of SCIM provisioning by Cure53. This release addresses the findings identified during both audits.

One notable issue is around CSV injection, e.g. when CSV exports could be susceptible to formula injection when opened in spreadsheet software. This issue was known and classified as out of scope, as exported CSV files are not intended to be opened in spreadsheets but with the password manager they were generated for. However we revisited this decision and settled for a security-by-default approach: CSV export is now disabled by default, fixing the bigger problem of credentials being potentially exported in plaintext. Organisations that still rely on it can re-enable the feature through configuration. Encrypted KDBX export remains available and is the recommended format for credential portability. Looking ahead, we plan to support the FIDO CFX format in a future release to further standardise credential import and export across tools.

Content Security Policy enforcement has been extended to close remaining gaps, further reducing the attack surface in case of a breach. Because the browser extension serves its own code locally rather than relying on the API, sensitive operations were already well protected by design against server-side injection.

Additionally an external security audit of SCIM provisioning has been completed, and this release includes fixes for a number of the findings. We are actively working through the remaining issues and will publish the full audit results once that work is done. SCIM will exit beta and ship on Passbolt Cloud as soon as all findings are resolved.

Maintenance & performance

This release brings a major upgrade to React 18, resulting in up to 20% faster rendering and the elimination of rare visual glitches that could cause flashes during navigation.

First load times have also improved substantially. Large organisations with thousands of resources will notice the biggest difference, with initial data processing now up to 20% faster.

Bear with us, more optimisations are already in the pipeline for future releases.

Conclusion

As usual, the release is also packed with additional improvements and fixes. Check out the changelog to learn more.

Many thanks to everyone who provided feedback, reported bugs, and contributed to making passbolt better!

Changelog

Added

• PB-48415 As an administrator, I can define the export policies to prevent CSV Export RCE
• PB-45576 As a logged-in user, the user ID only should be stored in session
• PB-24273 GET /auth/logout endpoint is now disabled by default
• PB-48148 Enforces content security policy

Fixed

• PB-48092 Fixes incorrect client IP in error logs by moving HttpProxyMiddleware upper in the middlewares chain
• PB-48208 POST /mfa/verify/yubikey should not trigger 500
• PB-43183 Improve folders cascade delete performance by refactoring code using iterative BFS and batch operations
• PB-49323 As a user creating a resource, I should not get a 500 if the secret passed is not an array of secrets
• [PRO] PB-47973 As an administrator I can synchronize with active directory longer entries in order to support 2 or more bytes alphabets
• [PRO] PB-49152 PBL-15-004 WP1: Fixes unsalted SHA256 hashing of bearer tokens in SCIM
• [PRO] PB-49148 PBL-15-002 WP3: Fixes suboptimal token generation randomness of SCIM bearer token
• [PRO] PB-49153 PBL-15-005 WP2: Fixes race condition in SCIM user creation endpoint
• [PRO] PB-49158 PBL-15-010 WP4: Fixes directory entry foreign key race condition

Security

• [PRO] PB-49154 PBL-15-006 WP2: Disable user enumeration via error messages on SCIM user creation endpoint

Maintenance

• PB-48556 Fixes CVE-2026-25129 security vulnerability advisory for psy/psysh package
• PB-47677 Upgrades firebase/php-jwt to version v7.0.0
• PB-47628 Upgrades cakephp/cakephp to v5.2.12
• PB-48555 Fix CVE-2026-24765 security vulnerability advisory for phpunit/phpunit package
• PB-48396 Update composer/composer package to 2.9.5 to fix CVE CVE-2026-24739 in symfony/process package

Flight Facilities

Release song: https://www.youtube.com/watch?v=QNa5o85Q-FE

Passbolt 5.9 is a maintenance release. It expands runtime compatibility with PHP 8.5. It contains additional health checks, and closes a couple of security gaps around user enumeration and click jacking.

Warning: If you run MariaDB 10.3 or 10.5, or MySQL 5, pay particular attention to the environment section below.
Support for these versions is planned to stop in January 2027, and this release starts flagging them as end of life.

Environment support and early deprecation notice

Passbolt 5.9 adds PHP 8.5 support, helping administrators and platform teams validate upcoming runtime upgrades in advance.
Moreover, while PHP 8.2 is still supported until 2027, it has entered security maintenance, and administrators should plan its upgrade this year.

At the same time, this release improves environment health checks to surface database versions that have reached end of life. MariaDB 10.3 and 10.5, and MySQL 5, are now flagged as deprecated allowing administrators to identify risky deployments during routine maintenance rather than responding under time pressure. These notices are tied to a planned end of support in January 2027.

Safer account recovery responses to reduce email enumeration risk

Account recovery endpoints can reveal whether a user exists, which makes targeted attacks easier. In Passbolt 5.9, the recover endpoint no longer leaks information when a user does not exist in the database.

Stronger protection against clickjacking and deceptive overlays

Clickjacking and overlay techniques aim to trick users into clicking something different from what they believe they are interacting with. Passbolt 5.9 reinforces defenses against these UI-level attacks in edge-case conditions, including scenarios where a compromised website tries to influence user interactions when a password could be suggested.

In practice, this extra layer of strengthening helps ensure users cannot be guided into interacting with sensitive Passbolt components when those components are not fully visible and clearly presented to them.

Better visibility and efficiency around email digest operations

Large folder operations can generate a lot of email activity and can be difficult to reason about as queues grow. Passbolt 5.9 improves digest handling related to folder operations, helping reduce unnecessary mail churn in workspaces where folder structure and permissions evolve frequently.

In addition, the passbolt email_digest command now reports how many emails were sent and how many remain in the queue. This makes it easier for administrators to confirm progress, anticipate bursts, and troubleshoot queue behavior using logs.

Maintenance work that improves stability over time

Passbolt 5.9 continues the migration work to React 18. The first part of the application have been migrated. This is a larger foundational effort that will improve stability and long-term performance.

Conclusion

This release also includes additional fixes and improvements as seen below. Thanks to the community members and teams who reported issues and helped validate fixes.

[5.9.0] - 2026-01-26

Added

• PB-44749 As an administrator I should get notified in the healthcheck about the deprecation of the database type and version
• PB-47893 As an administrator running the bin/cron command, I can see in the logs the number of emails left to send
• PB-46111 As a user I should receive a single email digest when more than one folders are created, updated or deleted

Fixed

• PB-47991 As an administrator I should not get a data-check error for deleted resources with no active metadata keys
• PB-47987 As an administrator I should not get a data-check error for deleted secrets

Security

• PB-47276 As a non-logged in user I cannot enumerate user emails using the recover endpoint

Maintenance

• PB-47701 Specify 1.1.0 version as minimum duo universal SDK package version in composer.json
• PB-47794 Update composer/composer to fix security-check job due to CVE-2025-67746

Everything in its Right Place

Release song: https://www.youtube.com/watch?v=F5uXomY94w8

Passbolt 5.8.0 introduces dynamic role management, allowing organizations to define additional roles that better align with internal policies, compliance requirements, and operational needs. This release also adds drag & drop user assignment to groups, simplifying day-to-day user and group management.

Warning: Ensure that all users have updated their browser extension to at least version 5.8 before assigning new roles. Otherwise, they will not be able to connect to Passbolt.

Dynamic role management

As was already the case with the default User role, Passbolt allows administrators to restrict what users can do by limiting access to specific capabilities. With version 5.8, this model is extended beyond the default Admin and User roles, making it possible to create additional roles and assign them to users for more granular control.

Dynamic roles also enable the delegation of administrative responsibilities. Rather than granting full administrative access, administrators can now assign selected capabilities to custom roles and distribute operational tasks across multiple users. Initial support covers group creation, as well as handling account recovery requests in Passbolt Pro.

At this stage, dynamic role management comes with a defined scope and set of constraints.

• The default Admin and User roles keep fixed names and cannot be renamed or deleted.
• As before, the User role can be restricted, but it cannot be assigned delegated administrative responsibilities.
• The Admin role, by contrast, always retains access to all capabilities and cannot be restricted.
• Custom roles are currently limited to two per instance and support a first set of administrative capabilities.

This scope will be expanded progressively as additional needs and use cases are identified by the community.

Drag & drop users to groups

Managing group membership often requires repetitive actions when working with large teams or frequently changing group structures. With Passbolt 5.8, administrators can now add users to a group by dragging them directly onto it from the Users & Groups workspace. This removes the need to open and edit each group individually and makes day-to-day group management faster and more fluid.

Miscellaneous improvements

As usual, this release includes fixes and smaller improvements intended to improve the overall experience. For the full list of changes, please refer to the changelog.

Many thanks to everyone who provided feedback and helped refine these features.

[5.8.0] - 2025-12-22

Added

• PB-46972 As an administrator I can create a new custom role
• PB-46973 As an administrator I can update a custom role
• PB-46968 As an administrator I can soft delete custom roles
• PB-46971 As an administrator I can list roles including deleted ones via filter
• PB-47169 As a user I receive an email notification when my role is changed
• PB-47345 As an administrator I receive an email notification when a role is created or updated
• PB-46975 As an administrator I can list RBACs including Actions
• PB-46976 As an administrator I can update RBACs for Actions
• PB-47006 As a logged-in user my role is fetched on every request to reflect role changes immediately
• PB-47083 As a user with appropriate RBAC permissions I can create groups
• PB-47196 As an administrator I can run the healthcheck command in POSIX mode
• PB-47274 As an administrator I can run a command to populate created_by and modified_by fields in secrets
• PB-47275 As an administrator I can run a command to populate secret revisions for existing secrets

Fixed

• PB-46374 As first admin I should not receive emails regarding encrypted metadata enablement during the first setup
• PB-46613 Fix web installer not working in HTTP when not in secure context
• PB-46640 Fix warnings in mfa_user_settings_reset_self.php email template
• PB-46645 Optimize action logs purge command dry run query
• PB-46913 Fix MfaUserSettingsDisableCommand to support case sensitive username comparison
• PB-46935 Fix 500 error on /metadata/session-keys/{uuid}.json endpoint when the request is sent twice
• PB-47236 Reduce the PHP memory load of the V570PopulateSecretRevisionsForExistingSecrets migration

Security

• PB-46890 Upgrade js-yaml dependency (Medium severity)

Maintenance

• PB-45979 Add CACHE_CAKETRANSLATIONS_CLASSNAME environment variable for cake_translations cache config
• PB-46388 Fix PHPUnit 11 deprecations

Gnossienne No. 1

Release song: https://youtu.be/t12nOxmB278

Passbolt 5.7.2 fixes an issue introduced in v5.7.0 that affected the health check when it was run after the cleanup command.
The bug caused the server metadata private key to be incorrectly deleted, resulting in health check failures.
This has now been resolved, and the cleanup process works as expected.

We thank the community again for reporting this issue!

[5.7.2] - 2025-11-17

Fixed

• PB-46826 As an administrator running the cleanup task, the server metadata private key entry should not be deleted

Come Together

Release song: https://youtu.be/XZMFeDxW60A?si=OJshLL0aEMe_5yTe

Passbolt 5.7.1 fixes an issue introduced in the previous version that affected logging in with Duo MFA. Authentication with Duo is now fully restored.

We thank the community for reporting this issue!

[5.7.1] - 2025-11-14

Fixed

• PB-46680 Fix DUO authentication form blocked by CSP header

Bloom

Release song: https://youtu.be/fMnh5Tn8aeM

Passbolt 5.7.0 introduces secret history, a highly demanded feature that gives users visibility and control over previous
versions of their secrets. This release also includes several usability improvements requested and bug fixes reported by the community.

Secret history

It is now possible to access previous revisions of a secret directly from Passbolt.

Secret history helps reduce the impact of human error and offers a safer way to manage evolving secrets. For instance,
this enables users to undo an accidental update on the spot. Note that the feature is disabled by default and requires
an administrator to enable it from the administration workspace.

User and group workspace improvements

A new “Remove from group” action has been added to the user and group workspaces. This addition eliminates the confusion
between permanently deleting a user and simply removing them from a specific group.

Moreover, administrators can now instantly filter users that require attention via the “Attention Required” filter in
the workspace. For instance: identifying users with a pending account recovery request to review, or missing metadata keys.

Import report

The application now displays a summary dialog after an import, offering accurate and actionable information.
The report precisely categorises alerts into successes, warnings and errors, providing end users with additional logs.

Miscellaneous improvements

As usual this release is packed with improvements and bug fixes reported by the community. Notably, the reliability of autofill
has been improved across a wider range of websites. If you find that autofill does not work on a particular website, feel free
to open a bug report including the website details to help us identify the custom selector. For more, check out the changelog below.

Many thanks to everyone who provided feedback, reported issues, and helped refine these new features.

[5.7.0] - 2025-11-12

Added

• PB-46107 As an administrator I can define the number of past secret revisions persisted in DB
• PB-46109 As an administrator I can block the edition of the secret revisions settings with a configuration flag
• PB-46110 As a logged-in user I can view the past secret revisions of a resource
• PB-45059 As an administrator I can see in the healthcheck if zero knowledge is activated and the server has access to the key
• PB-45496 As an administrator I can run a clean-up task to delete metadata private keys entries of soft & hard-deleted users
• PB-45567 As an administrator I can run a passbolt user_index command to list all users
• PB-45567 As an administrator I can run a passbolt user_promote_to_administrator command to promote users to administrators
• PB-45567 As an administrator I can run a passbolt mfa_user_settings_disable command to disable MFA for a given user
• PB-46146 As an administrator I can hide the warning on commands run as non web-user with a configuration flag

Security

• PB-45158 Adds frame-ancestors:none and form-action:self to the CSP header

Fixed

• PB-44623 The API should return a 400 instead of 500 on /auth/jwt/logout.json when refresh_token isn't a UUID
• PB-45760 Fixes a translation in setup recover abort email reported by community
• PB-45262 Prevent activity log from showing secret creation during resource share as a secret update

Maintenance

• PB-45731 As a developer I can ensure by unit tests that all Crowdin translations are parsable
• PB-45788 Updates sessions.sql file as per the latest cakephp skeleton
• PB-43742 Updates PHPUnit vendor to v11
• PB-45829 Upgrades Passbolt API Web Installer to use OpenPGP.js version 6

Camillo

Release song: https://youtu.be/SUu9aEoQOL8

Passbolt 5.6.1 addresses a security issue identified in the underlying CakePHP framework.
The issue has been fully mitigated through a framework update.
All administrators are advised to update to this version to maintain a secure environment.

[5.6.1] - 2025-11-04

Security

• PB-45919 Fix security issue in query generation for CakePHP

Big Jet Plane

Release song: https://www.youtube.com/watch?v=bu50DtPF1Ac

Passbolt 5.6.0 introduces standalone notes to store sensitive secrets beyond passwords and shared metadata key rotation to give organisations stronger control over their encrypted data. This release also delivers several long-awaited usability improvements on the main workspaces that make the day-to-day experience smoother.

Standalone notes

It is now possible to create notes as standalone resources, no longer tied to a password or TOTP entry. This offers a dedicated resource type for text-based secrets that don’t fit into existing supported types such as passwords, TOTPs, or custom fields.

Standalone notes benefit from the same permissions, encryption, and audit trail as passwords, ensuring they remain just as secure and shareable. Each note supports up to 50 KB of text, leaving ample room for certificates, SSH keys, or other long-form secrets that Passbolt plans to support natively in the future. Import and export flows have been updated accordingly and any imported resources that contain only a description will now be recognised and created as standalone notes.

Resizable sidebars: more space where it matters

Both the main workspace and the Users & Groups workspace now feature sidebars that can be resized, giving users more control over how they view their data. This improvement makes it easier to read long folder names and navigate deeply nested folder structures.

The ability to resize sidebars adds to the overall customisation of the interface, complementing existing options such as adjusting the width of the main workspace grid columns or choosing which information to display. Once adjusted, the sidebar adapts smoothly to the preferred width, and a quick double-click on the handle resets it to the default size.

Shared metadata key rotation

Administrators can now rotate the shared metadata key directly from the organisation settings without disrupting the availability of the instance. This capability gives organisations greater control over their encrypted metadata and is another milestone in completing the encrypted metadata roadmap.

Rotating the shared key enhances security in several important ways. It supports compliance with internal security policies or industry standards that require periodic key rotation. It also strengthens forward secrecy: when a collaborator leaves the organisation, administrators can generate and distribute a new shared metadata key to ensure that former members cannot access metadata encrypted after their departure.

Miscellaneous Improvements

This release is also packed with minor bug fixes and performance improvements, notably in group management where large updates are now split into smaller requests. This change reduces the load on the API and resolves timeout issues that could occur when many changes were applied to the same group at once. For the full list of changes, check out the changelog.

Many thanks to everyone who shared feedback, reported issues, and helped refine these features.

[5.6.0] - 2025-10-08

Added

• PB-45058 Add datacheck to check for existing metadata key with no metadata private keys
• PB-44187 As an admin I cannot delete a metadata key associated with a deleted resource
• PB-44183 As a user that is sole owner of v4 resources when v4 resources types are disabled, v4 resources should be ignored on an ownership transfer request
• PB-44770 As a user I want to configure the trusted_proxies list as an environment variable
• PB-45471 Add new database migration to add standalone notes resource type
• PB-45472 Update resource types endpoints tests to assert enable/disable is working for new standalone notes resource type
• PB-45473 Update resources endpoints tests to accommodate new standalone notes resource type

Fixed

• PB-45222 Fix EmailDigest not working for v5 resources
• PB-45447 Fix PUT /metadata/keys/.json endpoint returning 500 error with trailing data
• PB-45436 As an administrator I can define the default cache engine with an environment variable
• PB-45454 Fix 500 error due to MySQL deadlock on create resource endpoint
• PB-45456 Allow editing of v4 resources even when v4 resource type creation is disabled
• PB-45258 Fix grammatical errors in the resource update email content
• PB-45057 Reduce memory consumption on the action logs endpoints
• PB-45057 Reduce memory consumption on resources and folders index endpoints

Maintenance

• PB-44813 Bring back DDEV ldap related services for development environment
• PB-44593 Bump i18next version
• PB-45161 Fix regularly failing UsersIndexControllerPaginationTest.php test
• PB-45270 Add custom exception message with client IP in /healthcheck/error.json
• PB-45062 Fix user_setup_complete.php template in LU folder instead of AD

Big Jet Plane

Release song: https://www.youtube.com/watch?v=bu50DtPF1Ac

Passbolt 5.6.0-rc.1 is a feature release candidate introducing standalone notes, shared metadata key rotation and resizable sidebars. This release comes as usual with security reinforcement by updating 3rd party libraries and other bug fixes.

In addition, it also includes bug fixes and maintenance updates:

• export of account kit is compatible with bigger private keys
• group membership update process is updated to reduce request size and avoid some size limitations
• folders name sort includes now natural number counting

Make sure to follow the steps here. As always, your feedback is invaluable, give it a try and report any issues you come across.
Enjoy the testing journey! ❤️

[5.6.0-rc.1] - 2025-10-06

Added

• PB-45058 Add datacheck to check for existing metadata key with no metadata private keys
• PB-44187 As an admin I cannot delete a metadata key associated with a deleted resource
• PB-44183 As a user that is sole owner of v4 resources when v4 resources types are disabled, v4 resources should be ignored on an ownership transfer request
• PB-44770 As a user I want to configure the trusted_proxies list as an environment variable
• PB-45471 Add new database migration to add standalone notes resource type
• PB-45472 Update resource types endpoints tests to assert enable/disable is working for new standalone notes resource type
• PB-45473 Update resources endpoints tests to accommodate new standalone notes resource type

Fixed

• PB-45222 Fix EmailDigest not working for v5 resources
• PB-45447 Fix PUT /metadata/keys/.json endpoint returning 500 error with trailing data
• PB-45436 As an administrator I can define the default cache engine with an environment variable
• PB-45454 Fix 500 error due to MySQL deadlock on create resource endpoint
• PB-45456 Allow editing of v4 resources even when v4 resource type creation is disabled
• PB-45258 Fix grammatical errors in the resource update email content
• PB-45057 Reduce memory consumption on the action logs endpoints
• PB-45057 Reduce memory consumption on resources and folders index endpoints

Maintenance

• PB-44813 Bring back DDEV ldap related services for development environment
• PB-44593 Bump i18next version
• PB-45161 Fix regularly failing UsersIndexControllerPaginationTest.php test
• PB-45270 Add custom exception message with client IP in /healthcheck/error.json
• PB-45062 Fix user_setup_complete.php template in LU folder instead of AD