Passbolt 5.11.0 "Got To be Real" marks SCIM provisioning as production-ready following an external security audit by Cure53. This release also adds PingOne as a new SSO provider and introduces OAuth support for SMTP authentication with Microsoft Exchange Online, ahead of Microsoft's planned deprecation of basic authentication at the end of 2026.
SCIM: audit fixes and general availability (Passbolt Pro)
SCIM provisioning, introduced as beta in Passbolt 5.5.0, is now marked as stable. With SCIM, administrators can create, update, suspend, and delete users directly from their identity provider, without ever touching the Passbolt UI. Microsoft Entra ID and Okta have been tested and validated as supported providers.
This milestone follows an external security audit conducted by Cure53, whose findings have been addressed across this and previous releases. The full report will be published shortly and made available to the community.
PingOne SSO support (Passbolt Pro)
This release adds PingOne as a new SSO provider. Organisations using PingOne can now authenticate their users without leaving their existing identity infrastructure.
PingOne joins the list of supported SSO providers alongside Azure AD, AD FS, Google, and the generic OpenID Connect connector that supports providers such as Keycloak or other in-house identity systems.
SMTP OAuth support for Microsoft Exchange Online
This release introduces OAuth 2.0 support for SMTP email delivery with Microsoft Exchange Online. Microsoft has announced that basic authentication for SMTP will be disabled by default at the end of 2026 (see Microsoft's updated deprecation timeline). Organisations using Exchange Online can start transitioning to OAuth now, ahead of the deadline.
Safari update (beta)
The Safari extension moves to its next milestone. While still in beta, organisations can now opt in by enabling a feature flag in the API configuration file or via environment variable. Once enabled, the browser extension becomes available through what will become the stable package on the Apple Store, allowing organisations to deploy it for all their users.
Safari support is not yet fit for production use. For more details about the known limitations and risks, see the open beta announcement. We thank the community members participating in the TestFlight program for their continued feedback and encourage pioneers who are comfortable with the risk to enable it and share their experience.
To enable safari beta from the environment variables, set the PASSBOLT_PLUGINS_SAFARI_ENABLED to true.
To enable safari beta from the passbolt.php configuration file.
'passbolt' => [
'plugins' => [
'safari' => [
'enabled' => true,
],
],
],
Other changes
This release adds autofill support for ProxMox, OVH, Supermicro IPMI, and several other websites. We continuously work to improve autofill coverage and the feedback from the community is invaluable. If you encounter a website where autofill does not work as expected, do not hesitate to file a bug report.
As usual, the release is also packed with additional improvements and fixes. Check out the detailed logs to learn more.
Conclusion
Many thanks to everyone who provided feedback, reported bugs, and contributed to making passbolt better!
Changelog
Added
- PB-49875 OAuth support for smtp authentication
- PB-50158 Add a feature flag to enable/disable Safari availability on a Passbolt instance
- PB-50199 As an admin I can contain my_group_user in POST /groups.json
- PB-50646 Add Permissions-Policy header on the API response
- PB-32992 [Pro] As a user I can use PingOne as single sign on provider
- PB-50524 [Pro] Move SCIM feature out of beta
Fixed
- PB-49323 As a user creating a resource, I should not get a 500 if the secret passed is not an array of secrets
- PB-40266 Health-check issues on Ubuntu 24 when running while being in a directory without the +x permission bit for www-data user (GITHUB #571)
- PB-50021 As a guest, I should not get a 500 on GET /users.json?contain[pending_account_recovery_request]=1
- PB-49823 Fix misleading email notification footer
- PB-50028 GITHUB - Fix GPG authentication nonce UUID validation using incorrect comparison operand (#592, #596)
- PB-50121 Replace rand() with a static counter to generate unique bind-parameter placeholder (GITHUB #595)
- PB-50241 As a logged-in user I should not get a 500 when logging-in again
- PB-49902 As a user I cannot create a v4 resource with v5 resource type
- PB-49286 [Pro] PBL-15-009 WP4: Non-transactional group member operations (Low)
- PB-49160 [Pro] PBL-15-012 WP1: Potential admin lockout via malicious IdP request (Low)
- PB-49159 [Pro] PBL-15-011 WP4: Lack of transaction wrapper in production sync (Low)
- PB-49285 [Pro] PBL-15-008 WP4: ScimEntry uniqueness race condition (Medium)
- PB-49284 [Pro] PBL-15-007 WP5: Potential DoS via pre-authentication GPG decryption (Low)
- PB-49151 [Pro] PBL-15-003 WP3: Lack of bearer token expiry & revocation schemes (Medium)
- PB-50646 - Add Permissions-Policy header on the API response
Improved
- PB-50070 Align X-Frame-Options with CSP and add missing X-XSS-Protection header
Maintenance
- PB-50133 Align allowCsvFormat variable name in plugin config.php
- PB-50173 Fix composer security vulnerability advisory affecting phpseclib/phpseclib package (CVE-2026-32935)
- PB-49096 Remove unused MFA assets & pages served by the browser extension