What's Changed
New Features by @guerricv in #5098
Health Check Utility
A new Utilities > Health page is available to administrators. It provides a centralized view of the instance's integrity and configuration status, making it easier to detect and diagnose common issues.
Bulk Delete for Deleted Users
The deleted users panel now supports selecting multiple accounts and purging them in a single operation. A "Select all" checkbox and a dedicated purge button have been added alongside the existing 90-day purge button.
Improvements by @guerricv in #5098
API — Folder Access via Cache (Extension)
The list of accessible folders is no longer embedded in the JWT payload (which caused oversized tokens). The API now resolves accessible folders at runtime from the cache_tree table. The cache is built at login and silently refreshed when permissions change.
User Statistics — System Accounts Excluded
The admin dashboard's user counts now correctly exclude internal system accounts (e.g., TP_USER, API), giving a more accurate view of real user activity.
Inactive Users Email — Improved Name Handling
Notification emails sent to inactive users now fall back gracefully to the first name, then the last name, then the login when a full name is not available. The email template also gains a #firstname# placeholder.
Bug Fixes
Encryption — False Positive PKCS7 Padding During Migration
Fixed a rare silent failure during the phpseclib v1 → v3 private key migration.
AES-CBC decryption with the wrong hash algorithm (SHA-256 on SHA-1 data) could produce garbage data that passed PKCS7 padding validation. The decrypted output is now validated as a valid PEM key before accepting the result; if not, the correct algorithm is retried automatically.
TP_USER Migration Script
A dedicated migration script (scripts/migrate_tp_user_to_v3.php) has been added for the internal TP_USER account (ID 9999997). Because this account never logs in interactively, it was skipped by the standard per-user migration. The script detects the encryption version of its RSA private key and sharekeys, and re-encrypts them to phpseclib v3 (SHA-256) as needed.
Run php scripts/migrate_tp_user_to_v3.php [--dry-run|--migrate] to perform this evolution
Full Changelog
Last important topics
- 3.1.6.0 - Migration is forced when user is login. If you want to migrate progressively, set
FORCE_PHPSECLIBV3_MIGRATIONtoFALSE(in file./includes/config/include.php). - 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
- 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
- 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)
Important
- Requires at least
PHP 8.1 - New password library implemented, read about impacts
Languages
Please join Teampass v3 translation project on Poeditor and translate it for your language.
Installation
Follow instructions from Documentation.
Upgrade
Follow instructions from Documentation.
Ideas and comments
Are welcome ... please use Discussions.