This release includes 8 security fixes for security teams reviewing exposed deployments.
Topics
+3 more
Affected surfaces
ReleasePort's take
Light signalPassbolt v5.12.0 patches eight medium-severity dependencies (composer, phpseclib, lodash, uuid, bn.js, picomatch, i18next). The Safari extension reaches general availability and now enables by default.
Why it matters: Patch eight medium-severity dependency vulnerabilities (composer, phpseclib, lodash, uuid, bn.js, picomatch, i18next). Safari extension now defaults to enabled—test with existing workflows before wider rollout.
Summary
AI summaryPassbolt adds a PIN code resource type and makes the Safari extension generally available.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
Fixes critical lodash package vulnerability (PB-50340). Fixes critical lodash package vulnerability (PB-50340). Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Security | Medium |
Fixes i18next-http-backend security vulnerability GHSA-r5fr-rjxr-66jc. Fixes i18next-http-backend security vulnerability GHSA-r5fr-rjxr-66jc. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Upgrades lodash package to address Medium severity advisory. Upgrades lodash package to address Medium severity advisory. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Fixes GHSA-F886-M6HF-6M8V security vulnerability advisory (Medium). Fixes GHSA-F886-M6HF-6M8V security vulnerability advisory (Medium). Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Upgrades picomatch package to address Medium severity advisory. Upgrades picomatch package to address Medium severity advisory. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Fixes uuid security vulnerability GHSA-w5hq-g745-h8pq (Medium). Fixes uuid security vulnerability GHSA-w5hq-g745-h8pq (Medium). Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Fixes bn.js security vulnerability advisory GHSA-378v-28hj-76wf (Medium). Fixes bn.js security vulnerability advisory GHSA-378v-28hj-76wf (Medium). Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Fixes composer/composer security vulnerabilities CVE-2026-40261 and CVE-2026-40176. Fixes composer/composer security vulnerabilities CVE-2026-40261 and CVE-2026-40176. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Security | Medium |
Fixes phpseclib/phpseclib security vulnerability CVE-2026-40194. Fixes phpseclib/phpseclib security vulnerability CVE-2026-40194. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Breaking | Medium |
Enables Safari browser extension by default, ending open beta period. Enables Safari browser extension by default, ending open beta period. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Introduces dedicated Pin Code resource type for securely storing standalone PINs. Introduces dedicated Pin Code resource type for securely storing standalone PINs. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Performance | Medium |
Refines browser extension's detection of TOTP fields to reduce false positives in autofill. Refines browser extension's detection of TOTP fields to reduce false positives in autofill. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Fixes activity logging breaking after instance reset while executing Selenium tests. Fixes activity logging breaking after instance reset while executing Selenium tests. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Fixes dev test data inserting empty definitions for v5 resource types. Fixes dev test data inserting empty definitions for v5 resource types. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Fixes SCIM endpoints returning 500 errors on cloud when resourceType is not supported. Fixes SCIM endpoints returning 500 errors on cloud when resourceType is not supported. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Refactor | Medium |
Homogenizes CE and Pro codebase. Homogenizes CE and Pro codebase. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Other | Medium |
Action logs purge command now covers additional entries, improving audit logs performance. Action logs purge command now covers additional entries, improving audit logs performance. Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
Song: https://youtu.be/0udIM6eooUA
Passbolt 5.12.0 makes the Safari browser extension generally available, ending the open beta period. This release also introduces a new PIN code resource type, along with improvements to TOTP field detection and the usual round of security and dependency updates.
Safari Extension Out of Beta
The Safari extension is now offered by default to all Safari users, on equal footing with Chrome, Firefox, and Edge.
This milestone reflects months of work across both our internal testing and the open beta period, during which organisations enabled the extension on their own instances and gave feedback. Many thanks to everyone who joined the TestFlight program for the open beta. Your feedback shaped this release.
PIN code resource type
Passbolt 5.12 introduces a dedicated Pin Code resource type for securely storing standalone PINs such as door access codes, safes, alarm systems, SIM codes, or device unlock codes.
Unlike workarounds based on passwords or custom fields, Pin Codes now have their own dedicated form, icon, validation, and generation flow. PINs are strictly numeric and support 4 to 12 digits in accordance with the ISO 9564-1 standard.
Users can create, view, copy, and generate PIN codes directly from the browser extension, optionally alongside a secure note. A dedicated PIN code column can also be displayed in the resource grid, while administrators can enable or disable the resource type from the administration settings.
Import and export are supported, with automatic detection of compatible PIN code entries during import.
This release also lays the groundwork for additional resource types in future releases.
Maintenance and security
As usual, this release ships some third-party dependency upgrades and security advisory fixes, with no user-visible impact.
The release also refines the browser extension's detection of TOTP fields to reduce false positives in autofill. Many thanks to the community members who reported cases where the extension picked up unintended fields. Clearly integrating with the wide variety of forms across the web is a community effort, and your feedback is what makes it possible.
For administrators, the action logs purge command now covers additional entries, improving the audit logs performance.
Conclusion
Many thanks to everyone who tried the Safari open beta, reported autofill issues, and contributed to making Passbolt better.
What’s next
Passbolt is also preparing for offline mode support, allowing users to securely access encrypted resources even when temporarily disconnected from the server. More details will be shared in upcoming releases!
[5.12.0] - 2026-05-12
Added
- PB-51081 Adds pin code resource type
- PB-51516 Enables Safari by default
Security
- PB-50625 Fixes GHSA-F886-M6HF-6M8V security vulnerability advisory (Medium)
- PB-50340 Upgrades picomatch package (Medium)
- PB-50538 Upgrades lodash package (Critical)
- PB-50895 Fixes bn.js security vulnerability advisory GHSA-378v-28hj-76wf (Medium)
- PB-50969 Fixes composer security vulnerability advisory affecting phpseclib/phpseclib package (CVE-2026-40194)
- PB-51135 Fixes security vulnerability advisory affecting composer/composer package (CVE-2026-40261, CVE-2026-40176)
- PB-51151 Fixes i18next-http-backend security vulnerability advisory GHSA-r5fr-rjxr-66jc (Medium)
- PB-51152 Fixes uuid security vulnerability advisory GHSA-w5hq-g745-h8pq (Medium)
- PB-51448 Fixes security vulnerability advisory affecting phpseclib/phpseclib package (CVE-2026-44167)
- PB-51208 Cleans up UserScimResource.php logged errors
- PB-51028 Sets SESSION_COOKIE_SAMESITE on Lax by default for all session engines
Maintenance
- PB-50893 As an administrator I can purge action additional logs by action via the logs purge command
- PB-50914 Homogenizes CE and Pro codebase
- PB-51243 Fixes activity logging breaking after instance reset while executing Selenium tests
- PB-51428 Fixes dev test data inserting empty definitions for v5 resource types
- PB-51541 Fixes SCIM endpoints returning 500 errors on cloud when resourceType is not supported
Security Fixes
- GHSA-F886-M6HF-6M8V — Medium severity advisory fix (PB-50625)
- lodash package upgraded to critical security fix (PB-50538)
- phpseclib vulnerability CVE-2026-40194 fixed (PB-50969)
- composer vulnerabilities CVE-2026-40261 and CVE-2026-40176 fixed (PB-51135)
- phpseclib vulnerability CVE-2026-44167 fixed (PB-51448)
- i18next-http-backend GHSA-r5fr-rjxr-66jc advisory fix (Medium) (PB-51151)
- uuid GHSA-w5hq-g745-h8pq advisory fix (Medium) (PB-51152)
- CVE-2026-40176
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About passbolt_api
Passbolt Community Edition (CE) API. The JSON API for the open source password manager for teams!
Related context
Related tools
Featured in
Beta — feedback welcome: [email protected]