All changelog

Passbolt 5.11.0 “Got To be Real”

Got To Be Real | Browser Extension & API

Passbolt 5.11.0 "Got To be Real" marks SCIM provisioning as production-ready following an external security audit by Cure53. This release also adds PingOne as a new SSO provider and introduces OAuth support for SMTP authentication with Microsoft Exchange Online, ahead of Microsoft's planned deprecation of basic authentication at the end of 2026.

SCIM: audit fixes and general availability (Passbolt Pro)

SCIM provisioning, introduced as beta in Passbolt 5.5.0, is now marked as stable. With SCIM, administrators can create, update, suspend, and delete users directly from their identity provider, without ever touching the Passbolt UI. Microsoft Entra ID and Okta have been tested and validated as supported providers.

This milestone follows an external security audit conducted by Cure53, whose findings have been addressed across this and previous releases. The full report will be published shortly and made available to the community.

PingOne SSO support (Passbolt Pro)

This release adds PingOne as a new SSO provider. Organisations using PingOne can now authenticate their users without leaving their existing identity infrastructure.

PingOne SSO card

PingOne joins the list of supported SSO providers alongside Azure AD, AD FS, Google, and the generic OpenID Connect connector that supports providers such as Keycloak or other in-house identity systems.

SMTP OAuth support for Microsoft Exchange Online 

This release introduces OAuth 2.0 support for SMTP email delivery with Microsoft Exchange Online. Microsoft has announced that basic authentication for SMTP will be disabled by default at the end of 2026 (see Microsoft's updated deprecation timeline). Organisations using Exchange Online can start transitioning to OAuth now, ahead of the deadline.

Email server settings with OAuth authentication method

Safari update (beta)

The Safari extension moves to its next milestone. While still in beta, organisations can now opt in by enabling a feature flag in the API configuration file or via environment variable. Once enabled, the browser extension becomes available through what will become the stable package on the Apple Store, allowing organisations to deploy it for all their users.

Safari support is not yet fit for production use. For more details about the known limitations and risks, see the open beta announcement. We thank the community members participating in the TestFlight program for their continued feedback and encourage pioneers who are comfortable with the risk to enable it and share their experience.

To enable safari beta from the environment variables, set the PASSBOLT_PLUGINS_SAFARI_ENABLED to true.

To enable safari beta from the passbolt.php configuration file.

'passbolt' => [
  'plugins' => [
    'safari' => [
      'enabled' => true,
    ],
  ],
],

Other changes

This release adds autofill support for ProxMox, OVH, Supermicro IPMI, and several other websites. We continuously work to improve autofill coverage and the feedback from the community is invaluable. If you encounter a website where autofill does not work as expected, do not hesitate to file a bug report.

As usual, the release is also packed with additional improvements and fixes. Check out the detailed logs to learn more.

Conclusion

Many thanks to everyone who provided feedback, reported bugs, and contributed to making passbolt better!

API

Added

  • PB-49875 OAuth support for smtp authentication
  • PB-50158 Add a feature flag to enable/disable Safari availability on a Passbolt instance
  • PB-50199 As an admin I can contain my_group_user in POST /groups.json
  • PB-50646 Add Permissions-Policy header on the API response
  • PB-32992 [Pro] As a user I can use PingOne as single sign on provider
  • PB-50524 [Pro] Move SCIM feature out of beta

Fixed

  • PB-49323 As a user creating a resource, I should not get a 500 if the secret passed is not an array of secrets
  • PB-40266 Health-check issues on Ubuntu 24 when running while being in a directory without the +x permission bit for www-data user (GITHUB #571)
  • PB-50021 As a guest, I should not get a 500 on GET /users.json?contain[pending_account_recovery_request]=1
  • PB-49823 Fix misleading email notification footer
  • PB-50028 GITHUB - Fix GPG authentication nonce UUID validation using incorrect comparison operand (#592, #596)
  • PB-50121 Replace rand() with a static counter to generate unique bind-parameter placeholder (GITHUB #595)
  • PB-50241 As a logged-in user I should not get a 500 when logging-in again
  • PB-49902 As a user I cannot create a v4 resource with v5 resource type
  • PB-49286 [Pro] PBL-15-009 WP4: Non-transactional group member operations (Low)
  • PB-49160 [Pro] PBL-15-012 WP1: Potential admin lockout via malicious IdP request (Low)
  • PB-49159 [Pro] PBL-15-011 WP4: Lack of transaction wrapper in production sync (Low)
  • PB-49285 [Pro] PBL-15-008 WP4: ScimEntry uniqueness race condition (Medium)
  • PB-49284 [Pro] PBL-15-007 WP5: Potential DoS via pre-authentication GPG decryption (Low)
  • PB-49151 [Pro] PBL-15-003 WP3: Lack of bearer token expiry & revocation schemes (Medium)
  • PB-50646 - Add Permissions-Policy header on the API response

Improved

  • PB-50070 Align X-Frame-Options with CSP and add missing X-XSS-Protection header

Maintenance

  • PB-50133 Align allowCsvFormat variable name in plugin config.php
  • PB-50173 Fix composer security vulnerability advisory affecting phpseclib/phpseclib package (CVE-2026-32935)
  • PB-49096 Remove unused MFA assets & pages served by the browser extension

Browser extension

Added

  • PB-49733 SMTP-OAUTH - WP2.1 Update SmtpSettingsService to SmtpSettingsApiService
  • PB-49734 SMTP-OAUTH - WP1.1 Create the SmtpSettingsEntity
  • PB-49737 SMTP-OAUTH - WP2.2 Update SmtpTestSettingsService to SmtpTestSettingsApiService
  • PB-49738 SMTP-OAUTH - WP2.3 Split SmtpSettingsModel to new architecture pattern
  • PB-49739 SMTP-OAUTH - WP2.4 Split SmtpTestSettingsModel to new architecture pattern
  • PB-49740 SMTP-OAUTH - WP3.1 Adapt context with the new SMTP entities
  • PB-49741 SMTP-OAUTH - WP3.2 Adapt ManageSmtpAdministationSettings to handle the new OAUTH fields
  • PB-50058 OAuth SMTP: add the new styleguide to backend
  • PB-50135 SSO with PingOne
  • PB-50157 Enable avatar upload for Safari
  • PB-50254 [Pro] SCIM-WP1.2 Adapt form to handle the new date field and display warning message when expired
  • PB-50263 Add a username selector compatible with ProxMox

Fixed

  • PB-46678 Fix quickaccess closing issue on Safari
  • PB-49237 DisplayUserBadgeMenu attention required should be displayed on Administration page served by API
  • PB-49287 When deleting a user, the URL must changed not to reference the deleted user id
  • PB-49476 Fix autofill for websites using identifier as name for username field
  • PB-49619 Fix username input field selector for OVH
  • PB-49849 Sync generator password policy with the administration after save
  • PB-49866 Fix the expiry column in the resource workspace grid is not present anymore
  • PB-49882 Fix username input field selector for Supermicro IPMI WebUI
  • PB-50023 Fix multifield OTP selector matching hidden inputs
  • PB-50077 Fix React router issue that reloads the page unexpectedly
  • PB-50177 Fix autofill issues for two websites

Maintenance

  • PB-49129 Delegate tab opening to service worker in order to send all cookie via Safari
  • PB-49459 Timeouts not cleared properly when filtering resources/users grids by keywords
  • PB-49705 Add missing TOTP unit tests
  • PB-49730 Setup an environment for publishing to npmjs registry
  • PB-49998 Add required data_collection_permissions for Firefox and set it to none
  • PB-50013 Make Safari download custom avatars test of quick fix for CI
  • PB-50118 Major upgrade for locutus (Critical) - passbolt-browser-extension
  • PB-50158 Add Safari enablement through a feature flag
  • PB-50200 Move the logic of passbolt.groups.create to GroupCreateController
  • PB-50201 Update group create call in groupApiService to contain "my_group_user" as urlOptions
  • PB-50202 Add supported formats documentation link in export dialog
  • PB-50225 Create a CreateGroupService.js file and move the create call to api service inside it
  • PB-50338 - Fix phantom @babel/preset-react

Security

  • PB-49608 Fix ReDoS vulnerability in PGP armor regex validation
  • PB-50271 Fix GHSA-25h7-pfq9-p65f - HIGH CVSS3.1
  • PB-50272 Fix brace-expansion vulnerabilities
Flag of European UnionMade in Europe. Privacy by default.