What's Changed
This is a security and stability release. Upgrading is strongly recommended for all installations, as it closes several authenticated vulnerabilities and access-control gaps.
🔒 Security fixes
- Mass-assignment privilege escalation in user management (GHSA-x8jf-9g87-j232) - the save_user_change handler wrote attacker-controlled columns into the users table, allowing a user to grant themselves admin. Writes are now restricted to an allow-list of non-privileged columns, with manager/admin target-scope enforcement. Also closes the related duplicate report GHSA-8mvg-rv84-jwgg and a residual cross-user API-key overwrite in the same handler.
- OAuth2 authentication bypass (GHSA-2mvr-v9w8-34c7) - an unbound oauth2LoginOngoing session flag let an OAuth2 user authenticate as any local/LDAP account. The flag is now bound to the authenticated subject (the submitted login must match the session userPrincipalName).
- SQL injection in the user-logs datatable (GHSA-fqg6-xvv8-w228) - an unvalidated ordering parameter was concatenated into the ORDER BY clause. The clause is now rebuilt from a fixed column map with a strict asc/desc allow-list.
- Authenticated path traversal / arbitrary file write in file upload (GHSA-wwxq-c766-v93w) - the on-disk destination was built from the POST name field with insufficient sanitization. Path separators and traversal are now rejected, the name is reduced to basename(), the checked extension is derived from the on-disk name, and a realpath() containment check is enforced.
🛡️ Access-rights enforcement (#5275)
Folder-level rights are now consistently enforced on bulk operations, matching the single-item paths and the UI:
- Mass item deletion now checks the folder delete right (previously only folder accessibility), so a user with No-Delete access can no longer bulk-delete via the search menu.
- Mass item move now enforces the delete right on the source folder and the edit right on the destination.
- items_delete no longer falls through to the deletion after a failed right check (which previously deleted the item anyway and returned malformed JSON). Unauthorized items are skipped and reported.
- Added the missing English and French language keys for the items_delete response (previously raw keys were shown to users).
🐛 Bug fixes
- Legacy attachment decryption after phpseclib v1→v3 migration (#5269) - attachments uploaded before the migration failed to decrypt. decryptFile() now tries v3 first and falls back to the legacy v1 key derivation. Item passwords were unaffected.
- Fatal 500 on login after idle session - an expired/garbage-collected session during an idle login page caused an uncaught TypeError. The login flow now emits the standard "session expired / log in again" dialog instead.
🛠️ Improvements
- API item cache (PR #5274) - item create/update/delete now keep the API item cache in sync, with an authorId parameter, a UNIQUE(id) constraint plus INSERT IGNORE to eliminate a duplicate-row race in the self-heal path (applied to the installer schema and to existing installs via upgrade), and new coverage in ApiItemCacheSyncTest.
- Admin - API users (PR #5273) - added search/filtering on the API users table and refactored the API-keys display logic.
- New-version notifications (PR #5270) - the admin dashboard now surfaces a new-version alert and lets admins view release messages, with dedicated brand/version badge styling.
⬆️ Upgrade notes
- A database upgrade step adds a UNIQUE(id) constraint to the API item cache table on existing installs, no manual action required, applied automatically by the upgrade.
Full Changelog
Full Changelog: 3.2.0.7...3.2.0.8
Important
- Requires at least
PHP 8.2
Languages
Please join Teampass v3 translation project on Poeditor and translate it for your language.
Installation
Follow instructions from Documentation.
Upgrade
Follow instructions from Documentation.
Ideas and comments
Are welcome ... please use Discussions.