Passbolt v4.11.0 introduces beta support for encrypted metadata in the administration settings, laying groundwork for the upcoming v5 release and its new resource format.
This beta feature allows developers and integrators to explore and adapt their systems ahead of the transition.
This release also resolves a security issue where an attacker could modify the Passbolt URL in certain emails if an administrator’s configuration was invalid. Additionally, role-based access control is now enforced for the “Copy to Clipboard” feature in the browser extension. Vulnerabilities in dependencies—though not directly impacting Passbolt—have been addressed as well.
As one of the final updates in the v4 series, this version prepares administrators for v5. While v4.11.0 does not require PHP 8.2, v5 will. We recommend beginning to plan or upgrade PHP to ensure a smooth transition. If a server migration is needed, please consult the online documentation.
Thank you to the community for your feedback and support.
API
Added
- PB-35761 As an administrator I receive an email if zero_knowledge_key_share is set to true and a new user completed the setup
- PB-36558 As an administrator I can mark metadata_keys as expired
- PB-35986 As an administrator I can share missing metadata private keys for users that needs them
- PB-35925 As an administrator I can see if users are missing access to metadata keys
- PB-37069 As an administration I can run a command to share metadata private keys with users that need them
- PB-37068 As a user I can see if I am missing metadata keys
- PB-36600 As an administrator I should be notified when an administrator expires a metadata key
- PB-35418 As an administrator I should receive an email notification when a metadata key is deleted
- PB-37361 As an administrator I can rotate metadata keys encrypting resources metadata
- PB-37697 As an administrator I can upgrade resources to v5 format
- PB-35927 As an administrator I can define an allow_v4_v5_upgrade metadata type settings
- PB-35923 As an administrator I cannot add a new metadata key if there is only 2 that are active
- PB-34463 As an administrator I cannot reuse metadata keys as the account recovery key
- PB-35929 Update edit resource to support allow_v4_v5_upgrade settings
- PB-35932 Update edit folders to support allow_v4_v5_upgrade settings
- [PRO] PB-35933 Update edit tags to support allow_v4_v5_upgrade settings
Fixed
- [PRO] PB-36947 Fix passbolt.plugins.sso.debugEnabled config not overwritten by passbolt.php
- PB-37719 Fix resource types index controller should not return deleted resource types per default
- PB-36925 Cast configure usage to avoid fatal type error on missing fullBaseUrl
- PB-36576 Fix as a user I cannot create or edit a tag with an expired or deleted metadata key
- PB-37097 Fix prevent to use v5 resource_type_ids if v5 flag is off
- PB-36930 Fix some email sentences not translated and markers errors in translation
- PB-37096 Fix healthcheck relying on symfony/process should fail gracefully in case of process run exception (GITHUB #531)
- PB-36989 Fix namespace composer warnings
- PB-37343 Fixes postgres dump by adding PGPASSWORD env since .pgpass is not generated on the passbolt installation
- [PRO] PB-37664 As an administrator running the healthCheck, the inactive users should not be calculated for the license check
- PB-38026 As an administrator running the cleanup command I should not see issues on soft deleted groups
- PB-38261 Fix always failing IsNotAccountRecoveryFingerprintRule for metadata keys
- PB-38262 Fix always failing metadata key creation when zero-knowledge is disabled, and no metadata keys are present
Security
- PB-37974 Upgrade CakePHP to v4.5.9
- PB-38166 Passbolt app router should not fall back on Host header if full-base url is not set
Maintenance
- PB-35785 Upgrade psalm/phpstan to latest version as applicable
- PB-35119 Fix tests failing when full base url is not-https
- PB-37000 Fix bug of wrong relation for Rbacs to Log.Actions.
- PB-37072 Fix LatestVersionApplicationHealthcheck test failing due to github not reachable
- PB-37071 Fix PHPUnit 10 deprecations
- PB-36237 Fix frequently failing TOTP setup/verify tests
- PB-38184 Fix synk vulnerability for nesbot/carbon PHP Remote File Inclusion
Browser extension
Added
- PB-37669: WP5-1.1 Implement save method in ServiceWorker
- PB-37670: WP5-1.2 Implement SaveMetadataSettingsService in the Service Worker to handle saving of metadata types settings
- PB-37671: WP5-1.3 Implement SaveMetadataTypesSettingsController in the Service Worker to expose metadata types settings save functionality to the content code
- PB-37672: WP5-1.4 Implement MetadataSettingsBextService in the Content Code to handle Service Worker requests that handles metadata types settings
- PB-37673: WP5-1.5 Add MetadataTypesSettingsEntity in the Content Code to support the metadata types settings form data
- PB-37676: WP5-1.6 Implement DisplayContentTypesMetadataAdministrationActions in the content Code to support content types metadata administration actions
- PB-37677: WP5-1.7 Implement DisplayContentTypesMetadataAdministration in the Content Code to display the metadata content types administration form
- PB-38019: WP5-1.8 Implement entity v2 required getter, setter, and comparison function to handle form data
- PB-38020: WP5-1.9 Add allow_v4_v5_upgrade property to metadata types settings entity
- PB-38021: WP5-1.10 Implement verifyDataHealth on MetadataTypesSettingsFormEntity to verify the settings health and help prevent problematic situations
- PB-38022: WP5-2.2 Metadata keys collection shouldn’t try to decrypt metadata private key that are not encrypted
- PB-38093: WP5-2.1 Make ExternalGpgKeyEntity and ExternalGpgCollection accessible to the content code
- PB-38105: WP5-2.3 Add support of expired on metadata key entity
- PB-38106: WP5-2.4 Find all metadata keys for session storage should not retrieve deleted keys
- PB-38108: WP5-2.5 Apply style on content types encrypted metadata administration screen
- PB-38111: WP5-2.6 Implement MetadataKeysServiceWorkerService in the Content Code to request the Service Worker to retrieve metadata keys
- PB-38121: WP5-2.7 Implement findKeysSettings in MetadataSettingsServiceWorkerService in the Content Code to request the Service Worker to retrieve metadata keys settings
- PB-38124: WP5-2.8 Implement GpgServiceWorkerService in the Content Code to request the Service Worker and retrieve gpg keys info
- PB-38135: WP5-2.9 Implement DisplayContentTypeMetadataKeysAdministration component to read metadata keys settings
- PB-38186: WP5-2.11 Make ExternalGpgKeyPairEntity accessible to the content code
- PB-38194: WP5-2.10 Implement generate function on MetadataKeysServiceWorkerService to support new metadata key generation in content types metadata keys administration page
- PB-38198: WP5-2.12 As an administrator I can generate metadata key when there is none yet active
- PB-38201: WP5-2.13 Implement findAll and findAllActive on findUsersService to retrieve respectively all users and only active users
- PB-38258: WP5-2.14 Implement saveKeysSettings function on MetadataSettingsServiceWorkerService to save metadata keys settings in the content types metadata keys administration page
- PB-38259: WP5-2.15 Implement EncryptMetadataPrivateKeysService to encrypt metadata private key data
- PB-38260: WP5-2.16 Implement save capability on the metadata keys settings administration page
Fixed
- PB-37682: URI not stored when password is weak with the quick access
- PB-38125: Display auto-fill CTA when the browsed page does not display its iframes
Security
- PB-37706: Fix RBAC preview and copying should not be allowed after group filter
- PB-38310: Upgrade i18next-parser undici dependency
Maintenance
- PB-38027: Remove .page.js from styleguide code coverage
- PB-38243: Upgrade playwright dependency and fix CI
