All changelog

Passbolt 5.10.0: You've Got the Love | Browser Extension & API

You've Got the Love | Browser Extension & API

Passbolt 5.10 “You've Got the Love” introduces the first Safari-compatible version of the Passbolt browser extension. The extension is currently available as a beta preview for testers who want to try it and provide feedback ahead of the stable release. This version also brings new productivity features such as TOTP autofill and tags visible in the grid, along with security hardening and performance improvements.

Safari beta support (TestFlight preview)

Passbolt 5.10 introduces the first Safari-compatible version of the Passbolt browser extension. The Safari extension is currently available as a build distributed through TestFlight via this public link for users who want to try it and provide feedback ahead of the stable release.

Passbolt Safari Extension in TestFlight

The extension is currently distributed this way while work continues toward a stable Safari release. 

Learn how to get started with the Safari beta in the dedicated guide.

An exciting update

TOTP autofill

Users can now autofill one-time passwords (TOTP) directly in login forms, similar to how usernames and passwords are autofilled.

When a webpage contains a TOTP field, Passbolt detects it and proposes relevant resources that contain a configured TOTP secret. Users can then select the resource to fill the current one-time password directly into the form.

TOTP autofill can be triggered either from the in-form menu or from the Quick Access interface, allowing users to complete multi-factor authentication without manually copying codes between applications.

TOTP in the InForm menu

Tags visible in the grid (Passbolt Pro)

Tags are now displayed directly in the resources grid, making it easier to identify and filter resources without opening the resource details view.

A new tags column shows the tags associated with each resource. Tags are displayed in alphabetical order and remain clickable, allowing users to filter the workspace by selecting a tag directly from the grid.

When multiple tags exist, the grid displays as many as possible within the column width and indicates additional tags using a counter with a tooltip showing the remaining tags.

This update also modernises the tag codebase and lays the groundwork for further improvements to tagging capabilities.

Fig. Tags in the grid with enough space for 2 tags and a tooltip

Security improvements

Passbolt team is currently preparing its First Level Security Certification (CSPN) with the French National Cybersecurity Agency (ANSSI). This release includes some fixes following the CSPN pre-audit evaluation done in partnership with Quarkslab and an external audit of SCIM provisioning by Cure53. This release addresses the findings identified during both audits.

One notable issue is around CSV injection, e.g. when CSV exports could be susceptible to formula injection when opened in spreadsheet software. This issue was known and classified as out of scope, as exported CSV files are not intended to be opened in spreadsheets but with the password manager they were generated for. However we revisited this decision and settled for a security-by-default approach: CSV export is now disabled by default, fixing the bigger problem of credentials being potentially exported in plaintext. Organisations that still rely on it can re-enable the feature through configuration. Encrypted KDBX export remains available and is the recommended format for credential portability. Looking ahead, we plan to support the FIDO CFX format in a future release to further standardise credential import and export across tools.

Content Security Policy enforcement has been extended to close remaining gaps, further reducing the attack surface in case of a breach. Because the browser extension serves its own code locally rather than relying on the API, sensitive operations were already well protected by design against server-side injection.

Additionally an external security audit of SCIM provisioning has been completed, and this release includes fixes for a number of the findings. We are actively working through the remaining issues and will publish the full audit results once that work is done. SCIM will exit beta and ship on Passbolt Cloud as soon as all findings are resolved. 

Maintenance & performance

This release brings a major upgrade to React 18, resulting in up to 20% faster rendering and the elimination of rare visual glitches that could cause flashes during navigation.

First load times have also improved substantially. Large organisations with thousands of resources will notice the biggest difference, with initial data processing now up to 20% faster.

Bear with us, more optimisations are already in the pipeline for future releases.

Conclusion

As usual, the release is also packed with additional improvements and fixes. Check out the changelog to learn more.

Many thanks to everyone who provided feedback, reported bugs, and contributed to making passbolt better!

API

Added

  • PB-48415 As an administrator, I can define the export policies to prevent CSV Export RCE
  • PB-45576 As a logged-in user, the user ID only should be stored in session
  • PB-24273 GET /auth/logout endpoint is now disabled by default
  • PB-48148 Enforces content security policy

Fixed

  • PB-48092 Fixes incorrect client IP in error logs by moving HttpProxyMiddleware upper in the middlewares chain
  • PB-48208 POST /mfa/verify/yubikey should not trigger 500
  • PB-43183 Improve folders cascade delete performance by refactoring code using iterative BFS and batch operations
  • PB-49323 As a user creating a resource, I should not get a 500 if the secret passed is not an array of secrets
  • [PRO] PB-47973 As an administrator I can synchronize with active directory longer entries in order to support 2 or more bytes alphabets
  • [PRO] PB-49152 PBL-15-004 WP1: Fixes unsalted SHA256 hashing of bearer tokens in SCIM
  • [PRO] PB-49148 PBL-15-002 WP3: Fixes suboptimal token generation randomness of SCIM bearer token
  • [PRO] PB-49153 PBL-15-005 WP2: Fixes race condition in SCIM user creation endpoint
  • [PRO] PB-49158 PBL-15-010 WP4: Fixes directory entry foreign key race condition

Security

  • [PRO] PB-49154 PBL-15-006 WP2: Disable user enumeration via error messages on SCIM user creation endpoint

Maintenance

  • PB-48556 Fixes CVE-2026-25129 security vulnerability advisory for psy/psysh package
  • PB-47677 Upgrades firebase/php-jwt to version v7.0.0
  • PB-47628 Upgrades cakephp/cakephp to v5.2.12
  • PB-48555 Fix CVE-2026-24765 security vulnerability advisory for phpunit/phpunit package
  • PB-48396 Update composer/composer package to 2.9.5 to fix CVE CVE-2026-24739 in symfony/process package

Browser extension

Added

  • PB-28063 Activate Safari support in the styleguide
  • PB-29275 SAF - WP2.10 Add Safari as supported extension
  • PB-29292 SAF - WP2.11 Fix quickaccess opening on Safari
  • PB-29605 SAF - WP2.7 Fix detached quickaccess not being closed after "use on this page" click
  • PB-36503 Browser extension causes performance degradation on some websites
  • PB-36503 Browser extension causes performance degradation on some websites
  • PB-43353 SAF - WP2.8 Fix file download on Safari
  • PB-43355 SAF - WP2.9 Fix quickaccess animations
  • PB-43997 SAF - WP1 Update the Safari browser extension build
  • PB-44342 SAF - WP2.1 Provide Safari with its own polyfill
  • PB-44343 SAF - WP2.2 Remove unsupported index.js callback
  • PB-44345 SAF - WP2.4 fix the CSS injection in styleguide.js
  • PB-45869 SAF - WP2.13 Implement file download using the native messaging
  • PB-45870 SAF - WP2.14 Implement a custom fetch using the native messaging
  • PB-46265 SAF - WP2.15 Fix authentication with MFA in the quickaccess
  • PB-46679 SAF - Fix bold font rendering
  • PB-47765 Tags modernization
  • PB-47777 Migrate tags logic from components to TagServiceWorkerService
  • PB-47789 REACT18 - Update ReactDom render to createRoot
  • PB-47992 REACT 18 - migration of ResourceWorkspaceContext
  • PB-48158 REACT 18 - Implement the migration of Dialog and Progress Contexts
  • PB-48240 REACT18 - UserWorkspace migration
  • PB-48252 REACT18 - Migrate ExtAppContext
  • PB-48253 SAF - Temporarily remove Avatar download to avoid user being signed out
  • PB-48258 SAF - Temporarily remove "upload avatar" feature
  • PB-48337 REACT18 - Update contexts that should use functional update
  • PB-48338 REACT18 - Update shared components that should use functional update
  • PB-48339 REACT18 - Update quickaccess components that should use functional update
  • PB-48340 REACT18 - Update authentication components that should use functional update
  • PB-48342 REACT18 - Update user setting components that should use functional update
  • PB-48343 REACT18 - Update administration components that should use functional update
  • PB-48360 REACT18 - Update resource components that should use functional update
  • PB-48363 REACT18 - Update user components that should use functional update
  • PB-48366 REACT18 - Remove await set state in contexts
  • PB-48384 REACT18 - Remove await setState in components and apps
  • PB-48404 REACT18 - Object.assign should use functional set state for context
  • PB-48408 CSV - WP1.2 Add a warning message when user is selecting a CSV format on the button
  • PB-48416 CSV - WP2.9 Check if the setting is enabled when displaying the csv format on exportFormats
  • PB-48419 REACT18 - Update the components to use functional setState
  • PB-48425 REACT18 - Form validation should not check errors in the state for component
  • PB-48470 Create ColumnTagsModel component
  • PB-48471 TAGRID-1.2 Create CellTags component and make it resizable
  • PB-48472 TAGRID-1.3 Add ColumnTagsModel and CellTags to DisplayResourcesList
  • PB-48473 TAGRID-1.4 Clicking on a tag should filter the workspace
  • PB-48521 Harmonise tags style
  • PB-48553 SAF - Use webNavigation instead of tab update to improve navigation performances
  • PB-49070 REACT18 - Migrate SSOContext for react-extension
  • PB-49085 REACT18 - Migrate tests to remove legacyRoot true
  • PB-49092 TAGRID-1.6 Hovering the tag on the resource detail should display tooltip
  • PB-49106 CSV - WP2.2 Implement the exportPoliciesSettingsEntity
  • PB-49107 CSV - WP2.3 Implement the exportPoliciesSettingsApiService
  • PB-49108 CSV - WP2.4 Implement the findExportPoliciesSettingsService
  • PB-49109 CSV - WP2.5 Implement findExportPoliciesSettingsController
  • PB-49110 CSV - WP2.7 Implement exportPoliciesSettingsServiceWorkerService
  • PB-49134 REACT18 - Migrate ApiAppContext
  • PB-49137 CSV - WP2.8 Implement the ExportPoliciesContext
  • PB-49138 CSV - WP2.6 Add event to find export policies settings
  • PB-49172 REACT18 - Rename method in DisplaySelfRegistrationAdminstration
  • PB-49248 REACT 18 - Revert functional setstate
  • PB-49262 REACT18 - revert functional setstate in contexts and components
  • PB-49270 SAF - Fix Safari Users settings for Duo MFA configuration
  • PB-49293 TOTP Autofill
  • PB-49294 Send TOTP through port to fill from in-form menu or quickaccess

Fixed

  • PB-48468 Fix layout when an announcement is visible
  • PB-49330 Alignment issues in 2FA Yubikey login page

Maintenance

  • PB-47191 Review Dependabot alert for useless regular expression escape in browser extension
  • PB-47542 Add unit tests to roleApiService
  • PB-47713 REACT18- 10.2 Implement migration for QuickAccess
  • PB-48088 Remove console errors related to pagemod page detection
  • PB-48242 Remove dev phantom dependencies
  • PB-48375 Add tests to gpg user id parser
  • PB-48467 Add unit test to improve coverage on Allowed Content type page
  • PB-49472 Remove unnecessary permissions from entitlements and project
  • PB-49631 Optimize getFirst function

Security

  • PB-48025 Major upgrade for pino (Medium) - passbolt-browser-extension
  • PB-48039 Small upgrade for validator (Medium) - styleguide
  • PB-48256 Small upgrade for lodash-es (Medium) - all-projects
  • PB-48257 Small upgrade for lodash (Medium) - all projects
  • PB-48527 Small upgrade for locutus (Critical) - passbolt-windows
  • PB-48535 NPM - Remove now unnecessary overrides in package.json for styleguide and bext
  • PB-49119 Remove dev phantom dependencies - node-fetch
  • PB-49120 Remove dev phantom dependencies - history
  • PB-49121 Remove dev phantom dependencies - expect
  • PB-49369 Fix GCVE-0-2026-2391 - Medium CVSS4.0
  • PB-49372 Fix GCVE-0-2025-68458 & GCVE-0-2025-68157 - LOW CVSS3.1
  • PB-49373 Fix GCVE-0-2026-25547 - CRITICAL CVSS4.0
  • PB-49432 Fix GCVE-0-2025-69873 - MEDIUM CVSS4.0
  • PB-49452 Fix GHSA-3ppc-4f35-3m26 - HIGH CVSS4.0
  • PB-49454 Update CSPs to allow inline
Flag of European UnionMade in Europe. Privacy by default.