Incidents

History of incidents that impacted Passbolt during the past years. Never miss an incident, subscribe to our product updates.

We respect your privacy

2024

June 12th, 2024

Cloud outage June 10th

On June 10th, 2024, a service degradation occurred on Passbolt Cloud between 4:00 PM and 5:15 PM UTC. This incident resulted in some users experiencing 404 errors and limited or no access to their organization workspace.

outage

April 17th, 2024

Reflective HTML Injection vulnerability

A vulnerability identified by security researcher Ruben Meeuwissen allows an attacker to deface the error page using custom URL parameters.

vulnerability

April 17th, 2024

Pwned Password Service Information Leak Incident

A vulnerability identified by security researchers of Quarkslab, could result in an information leak.

vulnerability

April 15th, 2024

PBL-11 Security audit results

In the lead-up to the stable release of the Passbolt UWP Windows application, the Cure53 team dedicated two days to a focused audit on the application's native layer.

audit

2023

September 11th, 2023

PBL-09 Security audit results

As part of the security audit of the LDAP feature refactoring, Cure53 team, found two issues that have been resolved with v4.1.3.

audit

September 10th, 2023

PBL-08 Security audit results

As part of the security audit of Single Sign On feature, Cure53 team, found 8 issues that have been solved progressively by order of importance with v3.11 to v4.1.

audit

July 3rd, 2023

Cloud outage

Cloud outage due to routine network component upgrade.

outage

April 26th, 2023

Sending unencrypted description during resource creation on Android app

Android App was leaking encrypted descriptions on resources created with it.

vulnerability

April 5th, 2023

Android App unlisted from the Google Play Store

Android App was unavailable on the store due to family policy violations / app access issues.

outage

2022

September 20th, 2022

Spell-jacking on Google Chrome and Microsoft Edge

Security researchers from otto-js published a report about a spell-jacking security flaw found on Google Chrome and Microsoft Edge.

vulnerability

January 19th, 2022

PBL-06 Security audit results

This audit concerned all the changes related to the implementation of the mobile features for the API as well as both Android and iOS mobile applications.

audit

2021

December 15th, 2021

Cloud outage - December 2021

This report explains the timeline and resolution for the issue that led to a 1h downtime of the cloud service on the morning of the 15th of December, 2021.

outage

November 24th, 2021

Security issue in experimental JWT authentication in v3.3

As part of the audit of the mobile application, security researcher Johannes Moritz, from Cure53 team, while reviewing the JWT authentication procedure, found that the Passbolt API is prone to a key confusion attack.

audit

October 19th, 2021

PBL-01 Cure53 Report

During the course of Q1 2021, the cryptography of the project was examined by two members of security research team of Cure53 over the course of six days, with the results amounting to seven findings of varying severity and seven informational findings.

audit

February 10th, 2021

Passbolt v3 release issues

The Passbolt API v3 rollout caused issues due to stricter data validation, affecting users with older or manually edited databases.

vulnerability

2019

November 26th, 2019

Autofill Suggestions

As part of Passbolt Bug Bounty program, security researcher René Kroka reported a new vulnerability affecting the extension.

vulnerability

August 7th, 2019

Bug bounty results

As part of Passbolt Bug Bounty program, security researcher René Kroka reported several vulnerabilities, one affecting the extension and three affecting the API.

audit

February 11th, 2019

Security audit results

During January an independent security audit of Passbolt API was conducted by french security researcher Jose-Alexandre Mayan.

audit

2018

November 9th, 2018

Gke Incident

A routine Kubernetes update caused passbolt.com and demo.passbolt.com to go offline. Despite efforts with Google support, services were restored by switching to a new cluster.

vulnerability

May 9th, 2018

Nginx Web Root Configuration Issue

The Nginx configuration file shipped with Passbolt Pro and the Docker container of Passbolt CE exposes files, creating a confidentiality issue.

vulnerability

May 8th, 2018

Password generator PRNG

Passbolt Web Extension version v1 does not use a cryptographically secure pseudo random generator when automatically generating random passwords for the user.

vulnerability

2017

December 28th, 2017

Content scripts running on malicious domain

Passbolt Web Extension version 1.6.7 is vulnerable to content scripts that can run on untrusted malicious domain.

vulnerability

October 13th, 2017

Passphrase information leakage

Passbolt Extension version 1.6.6 is vulnerable to an information leakage during the setup.

vulnerability

September 14th, 2017

XSS on resource URLs

Passbolt API version 1.6.4 is vulnerable to a XSS in the url field on the password workspace grid and sidebar.

vulnerability

February 10th, 2017

Chrome not available

On Thursday 9th of February 2017 evening, the extension was taken down by google from the chrome web store without notice.

outage