All incidents

SCIM Cure53 security audit results

In February 2026, Cure53 conducted a two-week white-box penetration test and source-code audit of Passbolt's SCIM, Azure AD integration, and directory synchronisation components. We commissioned this audit because SCIM and directory sync sit between Passbolt and external identity providers, where the risk surface is higher and mistakes have broader impact.

Three senior researchers covered five work packages across fifteen evaluation days. They noted that the overall security posture is solid, and that the findings relate mostly to common pitfalls in concurrent systems and integration constraints rather than fundamental architectural issues.

At the time of the audit, SCIM and directory synchronisation were still marked as beta.

These features are also disabled by default and will remain opt-in. This is part of our release process: new integration surfaces are audited before being declared stable. 

Have a look at the report.

Summary

Cure53 reported twelve findings: one High, four Medium, seven Low. None of them allowed unauthenticated remote code execution or secret exfiltration.

The most consequential finding (PBL-15-005, High) was a TOCTOU race condition in SCIM user creation that could lead to duplicate user records. The remaining issues clustered around four themes: cryptographic hygiene of the SCIM bearer token, race conditions in concurrent sync operations, error messages, and guardrails against malicious or compromised identity providers.

We have addressed eleven of the twelve issues in code; the DOS one is a documented won't-fix that depends on infrastructure-level mitigation (firewall / IP restriction) consistent with our original threat model.

Versions and fixes timeline

  • v5.10: PBL-15-001, 002, 004, 005, 010
  • v5.11: PBL-15-003, 008, 009, 011, 012
  • V5.13: PBL-15-006 
  • Won't-fix: PBL-15-007

If you are running v5.11 or later, all eleven addressed findings are shipped in your installation. Cloud customers are already on v5.12+; Self-hosted operators should upgrade if they are using SCIM.

Acknowledgements

We are grateful to Cure53, and specifically Dr. Mario Heiderich, Dr. Nadim Kobeissi, and Joseph Ginesin, for the depth and clarity of this audit.

Flag of European UnionMade in Europe. Privacy by default.