All changelog

Natural Blues | Browser Extension & API

Natural Blues | Browser Extension & API

Passbolt 5.12.0 makes the Safari browser extension generally available, ending the open beta period. This release also introduces a new PIN code resource type, along with improvements to TOTP field detection and the usual round of security and dependency updates.

Safari Extension Out of Beta

The Safari extension is now offered by default to all Safari users, on equal footing with Chrome, Firefox, and Edge.

This milestone reflects months of work across both our internal testing and the open beta period, during which organisations enabled the extension on their own instances and gave feedback. Many thanks to everyone who joined the TestFlight program for the open beta. Your feedback shaped this release.

PIN code resource type

Passbolt 5.12 introduces a dedicated Pin Code resource type for securely storing standalone PINs such as door access codes, safes, alarm systems, SIM codes, or device unlock codes.

Fig. Create a PIN code resource from Main Menu

Unlike workarounds based on passwords or custom fields, Pin Codes now have their own dedicated form, icon, validation, and generation flow. PINs are strictly numeric and support 4 to 12 digits in accordance with the ISO 9564-1 standard.

Fig. Display PIN code Column in Grid

Users can create, view, copy, and generate PIN codes directly from the browser extension, optionally alongside a secure note. A dedicated PIN code column can also be displayed in the resource grid, while administrators can enable or disable the resource type from the administration settings.

Fig. PIN code option in the Allowed Content Types Menu from Organisation Settings

Import and export are supported, with automatic detection of compatible PIN code entries during import.

This release also lays the groundwork for additional resource types in future releases.

Maintenance and security

As usual, this release ships some third-party dependency upgrades and security advisory fixes, with no user-visible impact.

The release also refines the browser extension's detection of TOTP fields to reduce false positives in autofill. Many thanks to the community members who reported cases where the extension picked up unintended fields. Clearly integrating with the wide variety of forms across the web is a community effort, and your feedback is what makes it possible.

For administrators, the action logs purge command now covers additional entries, improving the audit logs performance.

Conclusion

Many thanks to everyone who tried the Safari open beta, reported autofill issues, and contributed to making Passbolt better.

What’s next

Passbolt is also preparing for offline mode support, allowing users to securely access encrypted resources even when temporarily disconnected from the server. More details will be shared in upcoming releases!

API

Added

  • PB-51081 Adds pin code resource type
  • PB-51516 Enables Safari by default

Security

  • PB-50625 Fixes GHSA-F886-M6HF-6M8V security vulnerability advisory (Medium)
  • PB-50340 Upgrades picomatch package (Medium)
  • PB-50538 Upgrades lodash package (Critical)
  • PB-50895 Fixes bn.js security vulnerability advisory GHSA-378v-28hj-76wf (Medium)
  • PB-50969 Fixes composer security vulnerability advisory affecting phpseclib/phpseclib package (CVE-2026-40194)
  • PB-51135 Fixes security vulnerability advisory affecting composer/composer package (CVE-2026-40261, CVE-2026-40176)
  • PB-51151 Fixes i18next-http-backend security vulnerability advisory GHSA-r5fr-rjxr-66jc (Medium)
  • PB-51152 Fixes uuid security vulnerability advisory GHSA-w5hq-g745-h8pq (Medium)
  • PB-51448 Fixes security vulnerability advisory affecting phpseclib/phpseclib package (CVE-2026-44167)
  • PB-51208 Cleans up UserScimResource.php logged errors
  • PB-51028 Sets SESSION_COOKIE_SAMESITE on Lax by default for all session engines

Maintenance

  • PB-50893 As an administrator I can purge action additional logs by action via the logs purge command
  • PB-50914 Homogenizes CE and Pro codebase
  • PB-51243 Fixes activity logging breaking after instance reset while executing Selenium tests
  • PB-51428 Fixes dev test data inserting empty definitions for v5 resource types
  • PB-51541 Fixes SCIM endpoints returning 500 errors on cloud when resourceType is not supported

Browser extension

Added

  • PB-51015 Add PIN code resource type in resourceTypeSchemasDefinition
  • PB-51016 Handle PIN code in resourceTypeEntity
  • PB-51017 Handle PIN code in resourceTypesCollection
  • PB-51019 PINCODE - 1.5 Create secretDataV5StandalonePinCodeEntity and add...
  • PB-51020 PINCODE - 1.6 Add pin code to ResourceEditCreateFormEnumerationTypes
  • PB-51023 Update resourceTypesFormEntity to handle the new pin code resource type
  • PB-51046 PINCODE - 3.2 Adapt ExternalResourceEntity to handle the pin code resource type schema
  • PB-51047 PINCODE - 3.3 Adapt ExportResourcesService to handle the mapping of pin code
  • PB-51048 PINCODE - 3.4 Adapt resourcesKdbxImportParser and to map pin code in case it exist to the correct resource types
  • PB-51049 Add PIN code icon to passboltDefaultResourceTypeIcons.data
  • PB-51050 Update DisplayContentTypesAllowedContentTypesAdministration to handle PIN code
  • PB-51051 Add the pin code resource type to DisplayResourceCreationMenu
  • PB-51052 Add PIN code in SelectResourceForm
  • PB-51053 Create the new pin code resource type form
  • PB-51054 Adapt OrchestrateResourceForm to handle the new AddResourcePinCode
  • PB-51055 Create the new DisplayResourceDetailsPinCode to display the pin code into detail
  • PB-51056 PINCODE - 3.5 Adapt resourcesKdbxExporter and to map pin code in case it exist to the correct resource types
  • PB-51073 PINCODE - 2.8 Add pin code into the grid
  • PB-51201 Fix notes-related issues
  • PB-51246 Add pin code to workspace create menu

Fixed

  • PB-49888 The contents of Resource Creation Progress Dialog always shows Creating Password
  • PB-50166 Fix break vs continue bug in MoveResourcesService batch permission calculation
  • PB-50535 DisplayuserbadgeMenu should display attention required on page served by API if MFA is required
  • PB-50617 Add PingOne redirect URL field
  • PB-50945 Fix expired session when port is disconnected
  • PB-51012 Hide 'set expired' option for already expired resources
  • PB-51018 Tighten fields selectors to avoid false positives
  • PB-51077 Fix typo "susccessfully" to "successfully"

Security

  • PB-50623 Fix GHSA-2328-f5f3-gj25 (HIGH)
  • PB-50877 Fix undici GHSA-f269-vfmq-vjvj - MEDIUM CVSS3.1
  • PB-50906 Fix svgo GHSA-xpqw-6gx7-v673 - HIGH CVSS3.1
  • PB-50907 Fix flatted GHSA-rf6f-7fwh-wjgh - HIGH CVSS4.0
  • PB-50908 Fix @xmldom/xmldom GHSA-wh4c-j3r5-mjhp - HIGH CVSS3.1
  • PB-50920 Upgrade webpack-cli
  • PB-50921 Upgrade web-ext
  • PB-51060 Fix protocol-buffers-schema GHSA-j452-xhg8-qg39 - MEDIUM CVSS3.1
  • PB-51151 Fix i18next-http-backend GHSA-r5fr-rjxr-66jc - MEDIUM CVSS3.1
  • PB-51152 Fix uuid GHSA-w5hq-g745-h8pq - MEDIUM CVSS3.1
  • PB-51170 Fix @xmldom/xmldom GHSA-2v35-w6hq-6mfw - HIGH CVSS4.0
  • PB-51179 Investigate and/or enforce package cool down mechanism with safe-chain or npm or both

Maintenance

  • PB-50224 Add devcontainer to bext
  • PB-50301 removed GitLab CI definition as it's been moved to the ci-definitions repo
  • PB-50340 Small upgrade for picomatch (Medium)
  • PB-51086 keep notify expired session tests skipping
Flag of European UnionMade in Europe. Privacy by default.