What's Changed

This is a major release.
It restructures the codebase for stronger security, raises the minimum PHP version, and adds breach detection, a knowledge base, and local password recovery.
Upgrading from 3.1.x requires a web server configuration change ; read the Upgrade notes below before upgrading.

🚀 Pre-release Disclaimer: Version 3.2.0.0 is currently a pre-release. It has been heavily tested, but it now needs a real-world "baptism by fire" by the community. We strongly advise testing it in a non-production environment first.

Breaking changes

• Split directory structure. The web server DocumentRoot must now point to public/, not the project root. Application code lives in app/, runtime data (uploads, files, backups) in storage/, and the encryption key in secrets/; all outside the webroot.
• PHP 8.2 is now the minimum supported version.

New features

• HaveIBeenPwned breach detection. Item passwords can be checked against the HIBP Pwned Passwords API using k-anonymity (only a SHA-1 hash prefix is sent). Results are stored per item. Controlled by the hibp_enabled and hibp_check_interval_days settings.
• Knowledge Base. A built-in knowledge base with comment support. Enabled via the Enable knowledge base setting.
• Local password recovery. Optional self-service account recovery, replacing the previous "hide forgot password link" option. Configured under the enable_local_password_recovery
  setting.
• Password generator service. A new generator that produces passwords meeting a folder's complexity requirements, with BIP39 mnemonic passphrase support.

Security

• API hardening. Multiple critical and high/medium API vulnerabilities fixed.
• CORS allow-list for the API via the new api_cors_origins setting (empty = allow all, JWT remains the auth layer).
• Read-only folder access enforced in the API for create, update, delete and move.
• Code moved outside the webroot through the new directory layout.
• Encryption key path auto-derived from ./secrets (no longer user-configurable).
• Password complexity is now computed on the plaintext, not the ciphertext.
• Fix 11 BOLA/IDOR vulnerabilities in items.queries.php (credit goes to Lai Wei).

Improvements

• Faster items list rendering with skeleton loaders and a loading progress bar.
• Sub-folder and item count badges.
• Clearer read-only badges on items.
• Better status badges regarding users action on items.
• Improved global search: sub-folders hidden during search, a results header, and breadcrumb restored when opening an item from search results.
• API now emits a WebSocket event when an item is created via the API.
• Install/upgrade flow: more reliable post-install folder cleanup, automatic ownership (chown) handling, and clearer messages.

Fixes

• OAuth2 login corrections.
• TOTP submitted through the API is now stored correctly.
• Edit form could be opened without edition rights fixed.
• Several install/upgrade and schema-sync issues fixed.
• WebSocket: edition-lock handler fixes and server URL handling improvements.

Upgrade notes

1. Point your virtual host DocumentRoot to the public/ subdirectory.
2. Run the upgrade wizard; it migrates files/, upload/, backups/ into storage/ and
   includes/config/settings.php into app/config/.
3. Ensure PHP 8.2+ is installed for both FPM/Apache and the CLI (pcntl, posix required
   for the CLI).
4. Block HTTP access to public/install/ after upgrading.
5. If you run the WebSocket daemon, restart it after upgrade.

See docs/install/upgrade.md for full details.

Full Changelog

3.1.7.6...3.2.0.0

Important

• Requires at least PHP 8.2

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.