Incidents

History of incidents that impacted Passbolt during the past years. Never miss an incident, subscribe to our product updates.

We respect your privacy

2026

January 13th, 2026

AWS AMI Delisted From Marketplace

Some of our AWS AMI products are temporarily unavailable on the AWS Marketplace.

outage

January 5th, 2026

Cloud: DUO authentication issue with Chrome browser extension in Passbolt 5.7

On the release of Passbolt Cloud 5.7, an issue was introduced that prevented some users from completing authentication when using DUO as a second factor via the Chrome browser extension.

outage

2025

December 29th, 2025

Incident: iOS 2.5.0 application not usable after upgrade to API 5.8.0

Incident summary On December 29th, 2025, an issue was identified where the Passbolt iOS application became unusable for regular users after upgrading the Passbolt API to version 5.8. Administrators are not impacted and could continue using Passbolt iOS app normally. The problem affects onboarding and login flows for regular users on iOS. Android users and browser extension users are not affected. A fix has been implemented in the iOS application and is currently under review by the Apple App

outage

December 17th, 2025

Passbolt Chrome Extension Unavailable for New Installations - December 17, 2025

The Passbolt Chrome extension is currently unavailable for new installations. Existing users are not impacted and can continue using the extension as usual.

outage

November 18th, 2025

Passbolt Cloud & Website Outage Report - November 18, 2025

A global Cloudflare failure caused intermittent downtime for Passbolt Cloud and the website. Passbolt remained operational but unreachable until recovery.

outage

August 13th, 2025

Known issues in 5.4.0 affecting login and imports

We’re tracking two regressions introduced with the 5.4.0 release. Details and scope below. We’ll post updates here as we progress on the fixes.

July 2nd, 2025

Passbolt v5.1 Security Audit Results

In the course of two weeks in May 2025, Cure53 conducted a comprehensive white-box security audit and penetration test of the Passbolt browser addon and API. The scope covered both frontend and backend/API components, with a total of six findings, four classified as vulnerabilities, and two as informational issues. While no critical vulnerabilities were discovered, a known limitation affecting metadata integrity was flagged. It is highlighted here, to ensure administrators can properly account

audit

April 11th, 2025

Cloud Deployment Incident - March 26th, 2025

On March 26th 2025, an incident occurred on Passbolt Cloud during the deployment of version v4.12.1 between 17:10 and 19:15 CEST. This incident resulted in HTTP 500 errors for users when accessing services related to the cloud-api.

outage

February 18th, 2025

Host header injection

A vulnerability identified by security researcher David Silva allows an attacker to manipulate the host header to send malicious URL in the emails, when the server is misconfigured and fullBaseUrl is not set.

vulnerability

2024

June 12th, 2024

Cloud outage June 10th

On June 10th, 2024, a service degradation occurred on Passbolt Cloud between 4:00 PM and 5:15 PM UTC. This incident resulted in some users experiencing 404 errors and limited or no access to their organization workspace.

outage

April 17th, 2024

Reflective HTML Injection vulnerability

A vulnerability identified by security researcher Ruben Meeuwissen allows an attacker to deface the error page using custom URL parameters.

vulnerability

April 17th, 2024

Pwned Password Service Information Leak Incident

A vulnerability identified by security researchers of Quarkslab, could result in an information leak.

vulnerability

April 15th, 2024

PBL-11 Security audit results

In the lead-up to the stable release of the Passbolt UWP Windows application, the Cure53 team dedicated two days to a focused audit on the application's native layer.

audit

2023

September 11th, 2023

PBL-09 Security audit results

As part of the security audit of the LDAP feature refactoring, Cure53 team, found two issues that have been resolved with v4.1.3.

audit

September 10th, 2023

PBL-08 Security audit results

As part of the security audit of Single Sign On feature, Cure53 team, found 8 issues that have been solved progressively by order of importance with v3.11 to v4.1.

audit

July 3rd, 2023

Cloud outage

Cloud outage due to routine network component upgrade.

outage

April 26th, 2023

Sending unencrypted description during resource creation on Android app

Android App was leaking encrypted descriptions on resources created with it.

vulnerability

April 5th, 2023

Android App unlisted from the Google Play Store

Android App was unavailable on the store due to family policy violations / app access issues.

outage

2022

September 20th, 2022

Spell-jacking on Google Chrome and Microsoft Edge

Security researchers from otto-js published a report about a spell-jacking security flaw found on Google Chrome and Microsoft Edge.

vulnerability

January 19th, 2022

PBL-06 Security audit results

This audit concerned all the changes related to the implementation of the mobile features for the API as well as both Android and iOS mobile applications.

audit

2021

December 15th, 2021

Cloud outage - December 2021

This report explains the timeline and resolution for the issue that led to a 1h downtime of the cloud service on the morning of the 15th of December, 2021.

outage

November 24th, 2021

Security issue in experimental JWT authentication in v3.3

As part of the audit of the mobile application, security researcher Johannes Moritz, from Cure53 team, while reviewing the JWT authentication procedure, found that the Passbolt API is prone to a key confusion attack.

audit

October 19th, 2021

PBL-01 Cure53 Report

During the course of Q1 2021, the cryptography of the project was examined by two members of security research team of Cure53 over the course of six days, with the results amounting to seven findings of varying severity and seven informational findings.

audit

February 10th, 2021

Passbolt v3 release issues

The Passbolt API v3 rollout caused issues due to stricter data validation, affecting users with older or manually edited databases.

vulnerability

2019

November 26th, 2019

Autofill Suggestions

As part of Passbolt Bug Bounty program, security researcher René Kroka reported a new vulnerability affecting the extension.

vulnerability

August 7th, 2019

Bug bounty results

As part of Passbolt Bug Bounty program, security researcher René Kroka reported several vulnerabilities, one affecting the extension and three affecting the API.

audit

February 11th, 2019

Security audit results

During January an independent security audit of Passbolt API was conducted by french security researcher Jose-Alexandre Mayan.

audit

2018

November 9th, 2018

Gke Incident

A routine Kubernetes update caused passbolt.com and demo.passbolt.com to go offline. Despite efforts with Google support, services were restored by switching to a new cluster.

vulnerability

May 9th, 2018

Nginx Web Root Configuration Issue

The Nginx configuration file shipped with Passbolt Pro and the Docker container of Passbolt CE exposes files, creating a confidentiality issue.

vulnerability

May 8th, 2018

Password generator PRNG

Passbolt Web Extension version v1 does not use a cryptographically secure pseudo random generator when automatically generating random passwords for the user.

vulnerability

2017

December 28th, 2017

Content scripts running on malicious domain

Passbolt Web Extension version 1.6.7 is vulnerable to content scripts that can run on untrusted malicious domain.

vulnerability

October 13th, 2017

Passphrase information leakage

Passbolt Extension version 1.6.6 is vulnerable to an information leakage during the setup.

vulnerability

September 14th, 2017

XSS on resource URLs

Passbolt API version 1.6.4 is vulnerable to a XSS in the url field on the password workspace grid and sidebar.

vulnerability

February 10th, 2017

Chrome not available

On Thursday 9th of February 2017 evening, the extension was taken down by google from the chrome web store without notice.

outage