What's Changed

Security Fixes

• Access control bypass (folders): Read-only users were able to perform write operations (edit, delete, move) on folders they only had read access to. The per-folder user-read_only_folders restriction was not enforced in the folder query handler; only the global read-only flag was checked. All three operations are now guarded individually. Folder deletions now also record the responsible user in the audit log.
• Privilege escalation (Manager role): A Manager-level user could grant the can_create_root_folder permission to other users, which is reserved for administrators. The UI toggle and the server-side handler now both restrict this option to admins.
• Circular folder reference: Moving a folder into one of its own descendants caused an infinite loop. A cycle-detection guard is now applied before any folder move is committed.

Bug Fixes

Authentication & LDAP

• Infinite account-disable loop on LDAP password change: When an LDAP user changed their password and had no transparent recovery data (accounts predating that feature), handleExternalPasswordChange() unconditionally disabled the account. Re-enabling via the admin panel would trigger the same failure on the next login, creating an infinite disable loop. The function now distinguishes between "no recovery data" (updates the password hash and sets special='recrypt-private-key' without disabling) and genuine decryption failures (which still disable the account).
• Transparent recovery false-positive: AES-CBC decryption with the wrong key can produce valid-UTF-8 garbage approximately 0.4% of the time. A -----BEGIN PEM guard is now applied after decryption so SHA-256 false-positives are caught and retried with SHA-1 before failing.
• integrity_check_failed treated as fatal: An integrity check failure (e.g. after a server key file was restored from backup) incorrectly disabled user accounts. This condition is now treated like "no recovery data"; the user is prompted to re-enter their password via the re-encryption modal rather than being locked out.
• Wrong private_key_backup encoding: changeUserLDAPAuthenticationPassword() was storing AES(base64(PEM)) in the backup field instead of AES(PEM). On the next LDAP password change, attemptTransparentRecovery() would fail the PEM validation guard and disable the account. The missing base64_decode() call has been added, consistent with every other backup-creation site in the codebase.
• Anti-bruteforce configuration not applied correctly (PR #5184 by @guerricv): addFailedAuthentication() was not receiving the $SETTINGS array in all call sites, causing bruteforce limits to not be evaluated. The lock duration validation logic has been simplified, default seed values for nb_bad_authentication_by_ip and bruteforce_lock_duration are now seeded via INSERT IGNORE during upgrade, and the admin panel now includes an IP blacklist management handler.

Installation & Upgrades

• bck_script_passkey encryption during fresh install: The backup script passkey was generated in install step 5, before the encryption key was available. Generation has been moved to step 6 where $encryptionKey is defined; an empty placeholder is inserted in step 5. cryptionForInstall() is also now guarded against undefined SECUREPATH/SECUREFILE constants to prevent a fatal crash.
• Missing show_subfolders column: The column was absent from fresh installs and was not added by 3.1.x upgrade scripts, causing database errors. It is now created during step 5 of the installer and added by the 3.1.7 upgrade script when missing.
• Install folder not deleted after upgrade (#5183 by @guerricv): recursiveChmod() was called with file and directory permission arguments in the wrong order, causing the recursive permission change to fail silently. The clear_install_folder flag is now consumed only when deletion actually succeeds.

Items & Folders

• Corrupted items integrity scan (PR #5182 by @guerricv): Integrated the community-contributed corrupted items scan with fixes: replaced SQL string concatenation with MeekroDB %l placeholders, fixed severity inconsistency in notice builder, added set_time_limit(0) to prevent fatal timeouts during RSA decryption on large databases, removed a redundant ALTER TABLE, and fixed a double folder-tree load on the items page. When a password is updated, the item's corrupted state is now automatically cleared.
• Duplicate folder name check on rename: Renaming a folder to its current name was incorrectly flagged as a duplicate. Collapse/expand UI state was also not preserved correctly after a rename.
• Items tree refresh and profile display (#5178 by @guerricv): The folder tree load strategy (lazy vs. full) was not preserved after a profile display change triggered a page refresh. Using $(this).delay().queue() to defer the refresh was also unreliable; replaced with setTimeout(). A missing break in users.queries.php was preventing a correct JSON response for empty user_profile_update payloads.

User Management

• Manager user list filtering: When a Manager (non-admin, non-HR-manager) had no assignable roles, the SQL WHERE clause was left with a trailing AND that broke the query and could expose all users. The filter now emits AND FALSE in that case so the result is correctly empty. The roles array is also built once with array_values(array_filter(...)) and shared between the SQL filter and the PHP-side in_array check, eliminating mismatches caused by empty string entries in the session value.
• Role and administration-role dropdowns in user edit: Admins and users with the global user-management permission now see all available roles in the role and administration-role selectors when editing a user, instead of only their own roles. Role-managers without that permission continue to see only the roles they personally hold.
• Pagination state reset on user list: If the DataTable pagination state saved by the browser pointed beyond the total number of visible users (e.g. after a user was deleted), the list appeared empty. The offset is now reset to page 0 in that case.

Logs

• Failed authentication log table (#5184 by @guerricv): Columns were reordered (IP address now shown before user agent), horizontal scrolling is enabled, and responsive/auto-width modes are disabled to prevent column layout issues on smaller screens.

Improvements

• Health dashboard: The corrupted items count is now displayed as a dedicated info-box on the Health overview page.
• Anti-bruteforce options page (#5184 by @guerricv): The bruteforce settings fields now have min=0 and step=1 attributes and improved keyword tagging for the settings search. A lock duration field has been added alongside the existing attempt count.
• Orphan objects maintenance task.

Full Changelog

https://github.com/nilsteampassnet/TeamPass/compare/3.1.7.5...3.1.7.6

Important

• Requires at least PHP 8.1

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

New Features

• Online Users Panel - Added a sidebar drawer showing currently connected users, with avatar rendering and configurable visibility toggle in settings (#5155)
• Health Logs Settings - New administration section to configure and manage runtime/health log file paths,
  with hardened path validation (blocks path traversal via realpath()) (#5168)
• Browser Extension FQDN Auto-persist - When enabling the API, the browser extension FQDN is now automatically saved (#5169)

Bug Fixes

• Custom field encryption state mismatch -Fixed read path in show_details_item: raw ciphertext was returned to the client when encrypted_data=0 but encryption_type='teampass_aes'; the branch now returns a decryption_failed error instead (#5161)
• LDAP authentication with special characters in password — Fixed authentication failure for passwords containing certain special characters (#5160)
• Folder filter UX - Fixed broken folder filter UI behavior; action buttons are now properly disabled when appropriate (#5174)
• Backup passkey handling - Refactored and fixed backup script passkey resolution, encryption, and storage logic; passkey is now properly encrypted during installation
• Create folder when no folder exists - Fixed crash when creating the first folder in an empty tree
• File permissions hardening - Improved install/upgrade requirement checks for file permissions
• Import feature access - Admin users can now access the Import feature even when it is disabled for regular users
• Password dialogs - Fixed several issues in password display and copy dialogs (#5157)

Improvements

• Backup passkey management - Fully refactored passkey resolution logic with clearer logging and better key candidate handling
• Split view / full screen item view - Refactored view switching logic for better reliability
• Admin page - Grouped and reorganized CSS classes; removed stale admin.js.php
• Users page - Various UX improvements
• XSS protection - Added tpEscapeHtml() utility function for consistent HTML escaping in JS

Full Changelog

https://github.com/nilsteampassnet/TeamPass/compare/3.1.7.4...3.1.7.5

Important

• Requires at least PHP 8.1

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

New Features

BIP-39 Passphrase Generator

A passphrase generator is now available alongside the existing password generator in the item creation and edit forms. It uses BIP-39 word lists and supports 8 languages (English, French, Spanish, Italian, Czech, Portuguese, Japanese, Chinese) with automatic fallback to English. Options include word count (3–8), separator character, and capitalization. Word count minimum is driven by the folder's complexity requirement. Separator preference is persisted in localStorage across sessions. All generation is client-side using crypto.getRandomValues(); no server round-trip or external call at runtime.

Reveal Toggle for Masked Custom Fields

An eye icon button now appears next to the copy button on masked custom fields in the item detail view. Clicking it toggles between the asterisk placeholder and the actual field value, using the same fa-eye / fa-eye-slash pattern as the password reveal button.

Server-Side Smart Password Generation

A new PasswordGeneratorService class generates passwords server-side that meet a folder's minimum complexity requirement in a single call, replacing the previous client-side iterative AJAX loop.

Bug fixes

Custom Fields — Encryption Atomicity Gap (Security)

Custom field values are now encrypted before INSERT instead of after, eliminating the window where plaintext could be persisted if the subsequent UPDATE failed. All read paths (show_details, copy_item) now use decryptUserObjectKeyWithMigration(), enabling transparent phpseclib v1→v3 migration on read. During a personal→public folder move, non-encrypted fields are skipped and orphaned encrypted field rows (whose sharekey is missing) are deleted and logged rather than left permanently undecryptable.

"New Item" Button — "Please select a folder" Error After Login

itemsListFolderId was not updated when navigating the folder tree directly. On a fresh page load, if the user clicked "New" before the jstree state plugin fired select_node.jstree, both fallback values were false and the folder selection error appeared despite the tree showing a selected folder. Fixed by syncing itemsListFolderId with selectedFolder on every tree selection, and falling back to selectedFolder in the loaded.jstree handler.

Subfolders Not Shown on Page Load When Session Folder Is Restored

Subfolders were not displayed when a previously selected folder was restored from the session on page load.

Personal Folder — Sharekey Ownership Integrity

Fixed a bug in EnsurePersonalItemHasOnlyKeysForOwner() that could leave stale sharekeys for other users on personal items.

Maintenance

FontAwesome Upgraded to 7.2

The FontAwesome library has been upgraded to version 7.2, including a fix for the symbolic link path.

Full Changelog

https://github.com/nilsteampassnet/TeamPass/compare/3.1.7.3...3.1.7.4

Important

• Requires at least PHP 8.1

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

Bug Fixes

Item editing

• Fixed custom fields from previously visited folders accumulating in the new/edit form when switching folders without a page reload. All category fields are now properly hidden before revealing only those belonging to the current folder (#5147).
• Fixed subfolders not being displayed after saving an item. groupe_id is now normalized with parseInt() before being passed to displaySubfolders().
• Fixed password field in edit form not loading the actual password when opening the edit view via the pencil icon from the item list (#5144 by @guerricv).
• Restore password modal display for local user password generation flows (#5143 by @guerricv).
• Improve user attribution in the task manager for several background task types that were displayed as anonymous (#5143 by @guerricv).
• Fix unusable Select2 dropdowns in the folder edit right sidebar (#5140 by @guerricv).
• Persist the selected folder depth filter on the folders page for the current browser session (#5140 by @guerricv).
• Fix item password complexity refresh/generation consistency and list duplicate refresh after deletion (PR #5141 by @guerricv) (Fix #5138, #5139.

Docker / restricted PHP environments

• Fixed a fatal error during upgrade prerequisites check when exec() is disabled via disable_functions in php.ini (e.g. Docker). The call is now guarded with function_exists('exec') and gracefully reports missing optional extensions instead of crashing. (#5137)
• Fixed CSRF cookie Secure flag being forced to true during installation on HTTP deployments (Docker without a reverse proxy). The flag is now derived from the configured URL protocol, preventing silent login failures. (#5137)
• Fixed a fatal error in background task handler (triggerBackgroundHandler) when exec() is disabled, and corrected an early-return issue in step99 that could prevent task completion. (#5127)

Access rights & sharekeys

• Fix users admin panels visibility/authorization and notify admins on account lock (PR #5135 by @guerricv)
• Fixed access rights check during copy_item and move_item operations. getItemFolderIdFromDb() was silently overriding the caller's $treeId, causing incorrect permission evaluation on the target folder.
• Fixed deleteUserObjetsKeys() incorrectly cleaning up file sharekeys: object_id in sharekeys_files references files.id, not items.id. The query now uses the correct files JOIN items join.

Performance

• Eliminated a duplicate get_complixity_level backend request when opening item edition. The edit form now reads complexity/visibility data from the store already populated by getPrivilegesOnItem().
• Cached SHOW COLUMNS results in EnsurePersonalItemHasOnlyKeysForOwner() with a static variable; schema discovery queries now execute once per PHP process instead of on every call.

Improvements

Password field UX in edit form (#5141 by @guerricv)

• Added a loading spinner in the password field while the encrypted password is being fetched and decrypted.
• Password fetch and privilege check now run in parallel, reducing total latency when opening the edit form.

Version badge (admin panel) (#5146 by @guerricv)

• Version badge now reads the release cache from ConfigManager (already in memory) instead of issuing separate DB queries.
• Added a DNS pre-flight check (checkdnsrr()) before any GitHub API call; the check is skipped entirely on air-gapped servers.
• Added a browser-side sessionStorage cache (4h TTL) to avoid redundant AJAX calls on subsequent page loads within the same session.

Enhancement: enforce Network ACL on API entry point (#5142 by @guerricv)

• The web UI ACL is already enforced early in the application bootstrap. This change applies the same ACL evaluation logic to the API so that blocked IPs cannot: request an authorization token, call authenticated API endpoints, and bypass the web ACL by using the API directly.

Security badge on passwords

• Item detail panel now displays a green Secure or red Not secure badge next to the password label, based on an OWASP ASVS-aligned policy (minimum length ≥ 12 and complexity score ≥ 70).

Database integrity

• Added a UNIQUE KEY on teampass_misc(type, intitule) to prevent duplicate settings rows.
• All INSERT statements targeting teampass_misc are now idempotent (INSERT IGNORE / ON DUPLICATE KEY UPDATE).

Documentation

• Improved server migration guide.
• Updated GitHub issue report template with a more structured format.

Full Changelog

https://github.com/nilsteampassnet/TeamPass/compare/3.1.7.2...3.1.7.3

Important

• Requires at least PHP 8.1

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

Bug Fixes

Active Directory - objectGUID byte order

Fixed a long-standing bug where AD group lookup failed silently for users authenticating via Azure AD / Active Directory. The manual byte-sequential unpacking of objectGUID produced a byte-swapped UUID that never matched the value shown in the AD portal.
Replaced with LdapRecord\Models\Attributes\Guid which handles the Windows mixed-endian byte order correctly.

Password generator - search retry loop (PR #5141)

Fixed a regression where the password generator could skip already-tried sizes when retrying in both directions. The retry loop now checks both lowerTriedSizes and upperTriedSizes on every iteration, preventing redundant AJAX calls. A missing warning message is now shown via toastr when the generator cannot find a password matching the required complexity.

Admin - change user password dialog reset (PR #5143)

Removed a duplicate .prop('checked', false) call that fired before resetAdminChangeUserPasswordDialogContext(), causing a visual glitch where the password checkbox flickered on dialog open.

Background tasks - user display in logs (PR #5143)

Fixed log entries where background task rows showed no user name. getBackgroundTaskUserDisplayFromUserId() now correctly falls back to login when name/lastname are empty, and HTML entities are decoded then re-encoded safely before output.

Email recipient name in new-user notification (PR #5143)

Fixed emails sent to new users having a blank recipient name. The task handler now builds the display name from name + lastname, falling back to login when both are empty.

Improvements

API - network ACL enforcement (PR #5142)

The REST API (/api/index.php) now enforces the network access control rules configured in TeamPass settings. Requests from blocked IP ranges receive a 403 Forbidden response with a localized error message. Language detection from Accept-Language header is supported (English and French).

Folder depth filter - persistent state (PR #5140)

The folder depth filter selection is now persisted across page reloads via store.js instead of sessionStorage, consistent with the rest of the TeamPass client-side state management.

Items page - code simplification

Eight single-use helper functions in items.js.php have been inlined at their call sites, reducing indirection and making the file easier to follow. A redundant websocketClientAvailable check in reloadItemDetailsAfterSave was removed (the condition reduces to websocketExpected only).

Logs datatable - function ordering

Moved normalizeBackgroundTaskDisplayValue(), getBackgroundTaskUserDisplayFromUserId(), and resolveBackgroundTaskUserDisplay() above their first call site in logs.datatables.php to eliminate forward-reference issues.

Full Changelog

https://github.com/nilsteampassnet/TeamPass/compare/3.1.7.1...3.1.7.2

Important

• Requires at least PHP 8.1

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

This is a patch release that builds directly on 3.1.7.0, delivering security hardening, new admin notifications, and a number of install/upgrade reliability fixes.

Security

• Network ACL — privilege escalation fix (PR #5134 by @guerricv): All six Network ACL AJAX actions (network_get_rules, network_save_settings, network_save_rule, network_delete_rule, network_toggle_rule, network_add_special_rule) were missing an admin privilege check. Any authenticated user could previously read or modify firewall rules. The check is now enforced on every action.
• Users panel access hardening (PR #5135 by @guerricv): The inactive-users and deleted-users panels, as well as LDAP/OAuth2 sync actions, are now restricted to administrators only, both on the page and in the backend query handler.

New Features

• Admin notification on account lockout (PR #5135 by @guerricv): When the anti-brute-force mechanism locks a user account, all administrator accounts with a valid email address now automatically receive a notification email containing the locked username, name, email, source IP, and scheduled unlock time.
• Network ACL enforcement in core request flow: The Network ACL rules are now evaluated in sources/core.php before any page is served. A blocked IP receives an HTTP 403 with a localised error page instead of reaching the login screen.

Bug Fixes

• Fresh-install missing tables (PR #5133 / #5134): The network_acl table and its five default settings (network_blacklist_enabled, network_whitelist_enabled, network_security_mode, network_security_header, network_trusted_proxies) were only created by the upgrade path, not the installer. Fresh installs now create them correctly in step 5 (run.step5.php, check57).
• Missing installer tables (#5133): users_options_favorites and encryption_migration_stats tables were absent from the installer's step-5 checklist. The install step sequence has been corrected (checks 54–58).
• Duplicate JS function definitions (PR #5134): norm01(), applyToggleState(), and bindToggleFix() were declared twice in options.js.php (once globally, once inside the tpNetworkAcl IIFE), causing potential redeclaration errors. The duplicates have been removed.

Full Changelog

https://github.com/nilsteampassnet/TeamPass/compare/3.1.7.0...3.1.7.1

Important

• Requires at least PHP 8.1

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

Highlights

TeamPass 3.1.7.0 is a major feature release introducing real-time WebSocket synchronization, a complete overhaul of the permissions engine, significant performance improvements, and a wide range of security hardening and bug fixes accumulated across five release candidates.

New Features

Real-Time WebSocket Synchronization

A new WebSocket server (Ratchet 0.4.4 + ReactPHP) provides live updates across all connected clients without page refresh.

• Item events — create, update, delete, and move operations are broadcast instantly to all users viewing the same folder.
• Edition locking — when a user opens an item for editing, all other users see a live lock indicator. The lock is released automatically on disconnect, save, or cancel.
• Folder events — folder create, rename, delete, and permission changes are pushed in real time.
• User & task events — encryption key readiness (user_keys_ready), background task progress, session expiry, and system maintenance notifications.
• Role permission refresh — when an administrator changes role permissions, all affected users receive a folder-tree refresh immediately without re-login.
• Auto-reconnect — the JS client reconnects with exponential backoff (max 30 s, 10 attempts) and a secure reconnect token (never passed in URLs).
• Systemd unit (teampass-websocket.service) included for production deployments.
• WebSocket can be enabled/disabled from the admin panel; host/port are configurable via teampass_misc.

Permissions Engine Overhaul

• Direct folder grants restored — folders assigned directly to a user (via users_groups) always grant full write access, regardless of any role-level restriction on the same folder.
• Least-permissive multi-role resolution — when a user holds multiple roles that disagree on a folder's access level, the most restrictive permission wins (write > no-delete > no-export > read).
• Effective permission helper (evaluateFolderAccesLevel()) introduced in main.functions.php and used consistently across items and users.
• Deprecated list_folders_limited and list_restricted_folders_for_items session variables removed; all checks now use the unified user-accessible_folders.
• Per-user direct grants now passed as the base allowed set to identUserGetPFList(), restoring correct folder visibility after a role change.

Folder Rights Panel Redesign (Users page)

• Folder rights now displayed in a scrollable modal instead of an inline card.
• Animated progress bar while folder data loads.
• Client-side filter buttons for permission types (W / ND / NE / R / no access).
• "Roles" column showing one badge per contributing role and its individual permission type.

Roles & Folders Page Improvements

• Folder list loads faster with continuous (non-blocking) rendering.
• Forms replaced by modals for a cleaner UX.

Options Management

• Options management: New UI to manage Options by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5132.

API Enhancements

• New endpoint GET /api/item/allTags — returns all tags across items accessible to the authenticated user.
• Browser extension: accessible folders now resolved from cache_tree instead of the JWT payload, preventing stale folder lists after permission changes.

Browser Extension — Dashboard Status

• Admin dashboard now displays the browser extension licence status.

Performance Improvements

APCu Configuration Cache

ConfigManager caches the full teampass_misc settings table in APCu shared memory (60 s TTL, key teampass_settings_v1). Cache is invalidated automatically after any write via ConfigManager::invalidateCache(), eliminating redundant DB reads on every request.

Optional Redis Session Storage

SessionManager supports Redis-backed sessions via RedisSessionHandler wrapped by EncryptedSessionProxy. Falls back to filesystem on connection failure. Configurable via redis_host, redis_port, redis_prefix, and redis_session_enabled in teampass_misc. gc_maxlifetime is now set dynamically to prevent premature PHP garbage collection.

Batch Sharekey Upserts

storeUsersShareKey() now executes a single batched INSERT … ON DUPLICATE KEY UPDATE (chunked at 100 rows) instead of N individual queries, reducing DB round-trips from O(users) to O(1) per item save.

cache_tree Optimizations

• N+1 SQL queries in tree.php replaced with in-memory lookups (pre-loaded $completTree), reducing ~400–600 queries to 1 for a 200-folder tree.
• Per-user cache invalidation via a new invalidated_at column — only users with access to the affected folder have their cache marked stale. Global invalidation (last_folder_change) removed.
• Visible folders are now built synchronously in the same rebuild pass; a separate async background task is no longer needed.
• Missing idx_user_id index added to cache_tree.user_id.

WebSocket Poll Interval

EventBroadcaster poll interval reduced from 200 ms to 500 ms to lower contention on teampass_websocket_events under high load.

Items Page

• Unnecessary AJAX calls removed during item edition.
• Item list refresh triggered immediately on add/delete.
• Faster item save (background encryption task launched immediately).
• Improved multi-item edition with immediate lock release.

Security

SQL Injection Fixes (API)

• In ItemController (getAction, inFoldersAction, findByUrlAction): JWT folder/item IDs now sanitised with array_map(intval, ...).
• User-supplied label/description passed through DB::escape() instead of raw string interpolation.
• Internal exceptions logged server-side; only a generic message returned to the client.
• N+1 sharekey queries in findByUrlAction() replaced with a single IN() query.

WebSocket Security Hardening

• Single-use tokens: validateFromToken() now enforces used = 0 and marks the token used atomically on success; token validity reduced from 3600 s to 60 s.
• Reconnect token: a long-lived reconnect token is generated after successful initial auth and transmitted only over the WS channel (never in a URL); the JS client uses it for all subsequent reconnection attempts.
• Object injection prevention: @unserialize replaced with allowed_classes restriction.
• Per-user API permissions: WS token holders now receive permissions from teampass_users.api_allowed_to_* columns instead of unconditional full CRUD access.
• IP-based rate limiting for failed auth attempts (max 10 failures / 60 s per IP), applied before any credential validation.
• Double-delivery prevention: EventBroadcaster poll+mark cycle wrapped in a DB transaction with SELECT FOR UPDATE.
• Expired websocket_tokens purged in the existing hourly cleanup timer.

XSS Prevention

• Sanitisation added on two newly exposed fields to prevent XSS.
• Guard added in main.functions.php when the master encryption key is empty.

HTTP Security Headers (API)

X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers added to all API responses.

AES Private Key Migration

xss_clean() removed from AES private key derivation path (it was corrupting binary-safe key material); transparent migration added for existing keys.

Bug Fixes

| Issue | Description |
|-------|-------------|
| #5104 | OAuth2 / Azure Entra — three bugs fixed: FK violation on new user creation, missing name/email in DB and missing confirmation email, "login credentials do not correspond" error on second login |
| #5108 | Items list showed wrong access rights after a role was deleted because restriction_to_roles was not cleaned up; restriction_to_roles is now purged on role deletion and an INNER JOIN is used in the rights query |
| #5111 | mfa_auth_requested_roles was not re-computed after LDAP checks, causing MFA to be skipped in some configurations |
| #3956 | AD group-to-role mapping broken: binary objectGUID is now normalised to a formatted string so it matches getADGroups() output; ldap_groups_roles deduplicated and UNIQUE KEY added on ldap_group_id |
| #5114 | Miscellaneous fixes (see commit 8e8df67) |
| #5124 | Missing SQL instruction in fresh install process |
| #5103 | Fallback crash when preg_split() returns false |
| #5106 | Admin page fix |
| #5102 | Several bugs identified and fixed in the items view |
| #5065 | Items page improvements and fixes |
| #5131 | Implemented and improved (see commit cf05e9ec) |
| #5132 | Applied provided fix |
| — | 2FA method selector was shown to all users regardless of whether their role required MFA; now only displayed when relevant |
| — | Notification bug when notifications are enabled for an item |
| — | When another user updates an item currently being browsed, the UI now refreshes automatically |
| — | Session-error modals now displayed when server returns ERROR NOT ALLOWED, ERROR SESSION EXPIRED, or the forced-disconnection message |
| — | Fix WebSocket start/stop control in admin panel when the daemon is managed by systemd |
| — | Docker installer: DB connection over TCP fixed; Docker documentation updated |
| — | MySQL ONLY_FULL_GROUP_BY compatibility fixed across all SQL queries |
| — | Manager access correctly restricted to System Health and specific user views |
| — | Files Integrity Check: warning block added for folders that cannot be parsed due to permission errors |
| — | Admin Dashboard: direct shortlink added to System Health card |
| — | Item moved events now broadcast via WebSocket; edition lock correctly shown in item detail panel |
| — | Edition lock enforced on item delete and move operations |
| — | Permissions: create right, role restrictions, and item form fixes applied |

Upgrade Notes

Database Schema Changes (upgrade_run_3.1.7.php)

• New tables: teampass_websocket_events, teampass_websocket_tokens, teampass_websocket_connections.
• New table: teampass_cache_tree improvements (invalidated_at column, idx_user_id index).
• New table: teampass_favorites.
• roles_values table: orphans and duplicates purged, UNIQUE KEY added.
• ldap_groups_roles: deduplicated, corrupted INT(12) entries purged, UNIQUE KEY on ldap_group_id.
• New teampass_misc settings: redis_session_enabled, redis_host, redis_port, redis_prefix, websocket_enabled, websocket_host, websocket_port.
• AGSES column renamed.

PHP Extensions

The installer and upgrade wizard now check for (optional) extensions: OPcache, APCu, ext-redis, PHP-FPM. None are mandatory, but APCu and Redis are recommended for production performance.

Composer

• firebase/php-jwt upgraded from v6.9 to v7.0.
• All other Composer dependencies updated.

WebSocket Daemon (optional)

If you want real-time synchronisation, start the WebSocket daemon:

php /path/to/teampass/websocket/bin/server.php
# or use the provided systemd unit:
systemctl enable --now teampass-websocket

The daemon requires ext-pcntl and ext-posix (CLI only). Configure websocket_enabled = 1 in Admin > Settings.

Code Quality

• PHPStan analysis raised to level 4 (previously level 1); errors fixed across sources/, api/, and custom classes.
• PHPUnit setup added with initial test suite covering authentication flows and the Encryption class.
• Encryption::decrypt() null guard added.
• scan_corrupted_items.php diagnostic script added under scripts/.

Removed / Deprecated

• list_folders_limited and list_restricted_folders_for_items session variables removed.
• Deprecated direct folder restriction mechanisms removed from the permission engine.

Full Changelog

https://github.com/nilsteampassnet/TeamPass/compare/3.1.6.13...3.1.7.0

Important

• Requires at least PHP 8.1

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

New Features

• API: GET /api/item/allTags endpoint — Returns the complete sorted list of unique tags stored in the
  database. Requires allowed_to_read permission. (docs)
• Health: Corrupted items scanner by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5116 — New on-demand tool in the Health dashboard that scans items via the
  TP_USER sharekey and detects corrupted password blobs (empty key, decryption failure, binary content, length
  mismatch). Results are displayed in-page with per-item detail. Also available as a CLI script:
  scripts/scan_corrupted_items.php.
• Health: Apache error log viewer — New section in the Health dashboard to check and copy the Apache/web
  server error log directly from the UI.
• Health: Full database version in tooltip — The database version field now shows the full version string on
  hover.

Bug Fixes

• Fix #5124 — Install: missing column in fresh install — The teampass_sharekeys_files table was created
  without the encryption_version column and its index during a fresh installation, causing a mismatch with
  upgrade-installed instances. (install/install-steps/run.step5.php)
• Security: XSS sanitization on new Health fields — Added output sanitization on two newly introduced fields
  in the Health utilities to prevent XSS.
• Security: Guard against empty master key — Added a defensive check when the master encryption key is empty
  to prevent unexpected behavior during item operations.

Internals

• All language files updated with new translation keys for the corrupted items scanner and Apache log viewer
  sections.
• API permission check updated to include allTags action in the allowed_to_read gate.

Full Changelog

https://github.com/nilsteampassnet/TeamPass/compare/3.1.6.12...3.1.6.13

Last important topics

• 3.1.6.0 - Migration is forced when user is login. If you want to migrate progressively, set FORCE_PHPSECLIBV3_MIGRATION to FALSE (in file ./includes/config/include.php).
• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

[!IMPORTANT]
Deployment Note: This release specifically fixes an issue encountered during the installation process.
If you have an existing and functional TeamPass instance, this upgrade is not required.

Bug Fixes

Installation fix (#5114)

Installation SQL was broken due to extra final coma in one SQL query for ldap_groups_roles table creation.

MFA re-check after LDAP update (#5111)

mfa_auth_requested_roles was not recomputed after the LDAP checks potentially updated the user's roles, causing MFA to be skipped or incorrectly required. The value is now re-evaluated at the correct point in the authentication flow.

Orphan objects maintenance task (#5110 by @guerricv)

Prevent the maintenance cleanup task from deleting sharekeys belonging to soft-deleted users (only treat as orphan when the user record is truly missing).
Adjust the Health report logic so sharekeys linked to disabled / soft-deleted users are no longer counted as orphan sharekeys.
Fix and internationalize the Migration Statistics modal: remove hardcoded labels, use language strings, and align “Total Users” with the dashboard by excluding TeamPass system users (API, TP, OTV).
Fix JavaScript error in the Personal items migration status modal: Cannot access 'doneUsers' before initialization.

Item access rights corrupted by orphan role restrictions (#5108)

Deleting a role did not clean up the restriction_to_roles table. Stale rows caused count() to return a non-zero value, granting $right = 10 and hiding items in the list view. Fixed by:

• Adding an INNER JOIN to the item list query so orphan restrictions are ignored.
• Purging restriction_to_roles entries when a role is deleted.

Item lock check on new items (#5106)

Calling isItemLocked() with itemId = 0 (a new, unsaved item) triggered a spurious database lookup. A guard clause now returns status: false immediately for new items.

Fatal error on file attachment upload/download - missing IV initialisation(#5105)

File attachments cannot be uploaded or downloaded due to a missing IV (Initialization Vector) setup in the encryptFile() and decryptFile() functions in sources/main.functions.php.
encryptFile() and decryptFile() now explicitly set the cipher IV, preventing non-deterministic behaviour depending on the PHP-phpseclib environment.

OAuth2 / Azure Entra ID — new user creation and login flow (#5104)

3 regressions affecting first-time OAuth2 login have been resolved:

• A foreign-key violation that prevented new users from being created (missing early return after user creation, mirroring the existing LDAP behaviour).
• Profile data (name, email, groups) was not persisted to the database for new OAuth2 users, and the confirmation email was not sent.
• A second login attempt always failed with "credentials do not correspond" because the oauth2_login_ongoing flag (session-derived, not stored in the database) was lost after the DB reload step in the authentication pipeline. It is now re-injected from the PHP session.

CSV/KeePass import — inherited folder permissions (#5103 by @guerricv)

Folders created during import now inherit permissions from their parent, preventing imported folders from being invisible in the UI after import.

AD group-to-role mapping (#3956)

• The binary objectGUID returned by Active Directory was not normalised to a formatted string before comparison, breaking automatic role assignment at login.
• DB::count() replaced with a null check on queryFirstRow() for reliable group-to-role mapping display.
• A JS guard (isNaN instead of === '') prevented invalid role IDs from being submitted.
• Upgrade script: deduplicates ldap_groups_roles, purges rows corrupted by the former INT(12) column bug, and adds a UNIQUE KEY on ldap_group_id.

Utilities — null variable initialisation

$missingUser and $inactiveUser are initialised to 0 (integer) instead of null, preventing type errors in the orphan sharekey counter.

Improvements

Files Integrity Check — permission error reporting

Folders that cannot be parsed due to filesystem permission errors are now listed with a warning inside the Files Integrity Check modal instead of being silently skipped. A shortlink from the System Health card in the admin dashboard now points directly to this modal.

Full Changelog

https://github.com/nilsteampassnet/TeamPass/compare/3.1.6.10...3.1.6.12

Last important topics

• 3.1.6.0 - Migration is forced when user is login. If you want to migrate progressively, set FORCE_PHPSECLIBV3_MIGRATION to FALSE (in file ./includes/config/include.php).
• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

Bug Fixes

MFA re-check after LDAP update (#5111)

mfa_auth_requested_roles was not recomputed after the LDAP checks potentially updated the user's roles, causing MFA to be skipped or incorrectly required. The value is now re-evaluated at the correct point in the authentication flow.

Orphan objects maintenance task (#5110 by @guerricv)

Prevent the maintenance cleanup task from deleting sharekeys belonging to soft-deleted users (only treat as orphan when the user record is truly missing).
Adjust the Health report logic so sharekeys linked to disabled / soft-deleted users are no longer counted as orphan sharekeys.
Fix and internationalize the Migration Statistics modal: remove hardcoded labels, use language strings, and align “Total Users” with the dashboard by excluding TeamPass system users (API, TP, OTV).
Fix JavaScript error in the Personal items migration status modal: Cannot access 'doneUsers' before initialization.

Item access rights corrupted by orphan role restrictions (#5108)

Deleting a role did not clean up the restriction_to_roles table. Stale rows caused count() to return a non-zero value, granting $right = 10 and hiding items in the list view. Fixed by:

• Adding an INNER JOIN to the item list query so orphan restrictions are ignored.
• Purging restriction_to_roles entries when a role is deleted.

Item lock check on new items (#5106)

Calling isItemLocked() with itemId = 0 (a new, unsaved item) triggered a spurious database lookup. A guard clause now returns status: false immediately for new items.

Fatal error on file attachment upload/download - missing IV initialisation(#5105)

File attachments cannot be uploaded or downloaded due to a missing IV (Initialization Vector) setup in the encryptFile() and decryptFile() functions in sources/main.functions.php.
encryptFile() and decryptFile() now explicitly set the cipher IV, preventing non-deterministic behaviour depending on the PHP-phpseclib environment.

OAuth2 / Azure Entra ID — new user creation and login flow (#5104)

3 regressions affecting first-time OAuth2 login have been resolved:

• A foreign-key violation that prevented new users from being created (missing early return after user creation, mirroring the existing LDAP behaviour).
• Profile data (name, email, groups) was not persisted to the database for new OAuth2 users, and the confirmation email was not sent.
• A second login attempt always failed with "credentials do not correspond" because the oauth2_login_ongoing flag (session-derived, not stored in the database) was lost after the DB reload step in the authentication pipeline. It is now re-injected from the PHP session.

CSV/KeePass import — inherited folder permissions (#5103 by @guerricv)

Folders created during import now inherit permissions from their parent, preventing imported folders from being invisible in the UI after import.

AD group-to-role mapping (#3956)

• The binary objectGUID returned by Active Directory was not normalised to a formatted string before comparison, breaking automatic role assignment at login.
• DB::count() replaced with a null check on queryFirstRow() for reliable group-to-role mapping display.
• A JS guard (isNaN instead of === '') prevented invalid role IDs from being submitted.
• Upgrade script: deduplicates ldap_groups_roles, purges rows corrupted by the former INT(12) column bug, and adds a UNIQUE KEY on ldap_group_id.

Utilities — null variable initialisation

$missingUser and $inactiveUser are initialised to 0 (integer) instead of null, preventing type errors in the orphan sharekey counter.

Improvements

Files Integrity Check — permission error reporting

Folders that cannot be parsed due to filesystem permission errors are now listed with a warning inside the Files Integrity Check modal instead of being silently skipped. A shortlink from the System Health card in the admin dashboard now points directly to this modal.

Full Changelog

https://github.com/nilsteampassnet/TeamPass/compare/3.1.6.10...3.1.6.11

Last important topics

• 3.1.6.0 - Migration is forced when user is login. If you want to migrate progressively, set FORCE_PHPSECLIBV3_MIGRATION to FALSE (in file ./includes/config/include.php).
• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

New Features by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5098

Health Check Utility

A new Utilities > Health page is available to administrators. It provides a centralized view of the instance's integrity and configuration status, making it easier to detect and diagnose common issues.

Bulk Delete for Deleted Users

The deleted users panel now supports selecting multiple accounts and purging them in a single operation. A "Select all" checkbox and a dedicated purge button have been added alongside the existing 90-day purge button.

Improvements by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5098

API — Folder Access via Cache (Extension)

The list of accessible folders is no longer embedded in the JWT payload (which caused oversized tokens). The API now resolves accessible folders at runtime from the cache_tree table. The cache is built at login and silently refreshed when permissions change.

User Statistics — System Accounts Excluded

The admin dashboard's user counts now correctly exclude internal system accounts (e.g., TP_USER, API), giving a more accurate view of real user activity.

Inactive Users Email — Improved Name Handling

Notification emails sent to inactive users now fall back gracefully to the first name, then the last name, then the login when a full name is not available. The email template also gains a #firstname# placeholder.

Bug Fixes

Encryption — False Positive PKCS7 Padding During Migration

Fixed a rare silent failure during the phpseclib v1 → v3 private key migration.
AES-CBC decryption with the wrong hash algorithm (SHA-256 on SHA-1 data) could produce garbage data that passed PKCS7 padding validation. The decrypted output is now validated as a valid PEM key before accepting the result; if not, the correct algorithm is retried automatically.

Security fix — Private key decryption for passwords containing special characters

Fixed a bug where user private keys encrypted with passwords containing certain special characters (<, >, &) could not be decrypted by background tasks and migration scripts. Affected users could still log in normally but machine accounts (TP_USER, SSH_USER) might fail during phpseclib v3 migration.
Private keys are now transparently re-encrypted with the correct key material at next login - no user action required, no data loss, existing encrypted items are unaffected.

TP_USER Migration Script

A dedicated migration script (scripts/migrate_tp_user_to_v3.php) has been added for the internal TP_USER account (ID 9999997). Because this account never logs in interactively, it was skipped by the standard per-user migration. The script detects the encryption version of its RSA private key and sharekeys, and re-encrypts them to phpseclib v3 (SHA-256) as needed.

Run php scripts/migrate_tp_user_to_v3.php [--dry-run|--migrate] to perform this evolution

Full Changelog

https://github.com/nilsteampassnet/TeamPass/compare/3.1.6.7...3.1.6.10

Last important topics

• 3.1.6.0 - Migration is forced when user is login. If you want to migrate progressively, set FORCE_PHPSECLIBV3_MIGRATION to FALSE (in file ./includes/config/include.php).
• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

New Features by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5098

Health Check Utility

A new Utilities > Health page is available to administrators. It provides a centralized view of the instance's integrity and configuration status, making it easier to detect and diagnose common issues.

Bulk Delete for Deleted Users

The deleted users panel now supports selecting multiple accounts and purging them in a single operation. A "Select all" checkbox and a dedicated purge button have been added alongside the existing 90-day purge button.

Improvements by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5098

API — Folder Access via Cache (Extension)

The list of accessible folders is no longer embedded in the JWT payload (which caused oversized tokens). The API now resolves accessible folders at runtime from the cache_tree table. The cache is built at login and silently refreshed when permissions change.

User Statistics — System Accounts Excluded

The admin dashboard's user counts now correctly exclude internal system accounts (e.g., TP_USER, API), giving a more accurate view of real user activity.

Inactive Users Email — Improved Name Handling

Notification emails sent to inactive users now fall back gracefully to the first name, then the last name, then the login when a full name is not available. The email template also gains a #firstname# placeholder.

Bug Fixes

Encryption — False Positive PKCS7 Padding During Migration

Fixed a rare silent failure during the phpseclib v1 → v3 private key migration.
AES-CBC decryption with the wrong hash algorithm (SHA-256 on SHA-1 data) could produce garbage data that passed PKCS7 padding validation. The decrypted output is now validated as a valid PEM key before accepting the result; if not, the correct algorithm is retried automatically.

TP_USER Migration Script

A dedicated migration script (scripts/migrate_tp_user_to_v3.php) has been added for the internal TP_USER account (ID 9999997). Because this account never logs in interactively, it was skipped by the standard per-user migration. The script detects the encryption version of its RSA private key and sharekeys, and re-encrypts them to phpseclib v3 (SHA-256) as needed.

Run php scripts/migrate_tp_user_to_v3.php [--dry-run|--migrate] to perform this evolution

Full Changelog

https://github.com/nilsteampassnet/TeamPass/compare/3.1.6.7...3.1.6.9

Last important topics

• 3.1.6.0 - Migration is forced when user is login. If you want to migrate progressively, set FORCE_PHPSECLIBV3_MIGRATION to FALSE (in file ./includes/config/include.php).
• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

• Fix: Bug report modal shows escaped content and clipboard copy fails for textarea by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5089
  • Clipboard copy reworked -- The copy-to-clipboard feature now supports both the clipboard-target attribute and data-clipboard-text, and correctly reads values from input fields. This fixes cases where copying a password or login would silently fail.
  • Bug report dialog improved -- The bug report generator now outputs clean plain text instead of raw HTML, making it much easier to read and paste into a GitHub issue. It also handles missing PHP error data gracefully instead of causing an error.
  • Fixed bug report crash -- Generating a bug report no longer fails with an undefined index error when no PHP error has been recorded.
• Improve Sharekeys Encryption Migration modal (UI + i18n) by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5087
  • Sharekeys migration notice enhanced -- The admin dashboard now shows a clear, well-formatted modal explaining which user accounts still need to be migrated to the newer encryption library, with recommended actions and a sorted list of affected users.
  • Admin page fully localized -- Hardcoded English strings in the admin panel (modal titles, buttons, migration notices) have been replaced with proper translation keys, so the interface now respects the selected language.
  • Browser extension key excluded from bug reports -- The browser_extension_key setting is now redacted from generated bug reports, preventing accidental exposure of sensitive data.

Full Changelog: https://github.com/nilsteampassnet/TeamPass/compare/3.1.6.6...3.1.6.7

Last important topics

• 3.1.6.0 - Migration is forced when user is login. If you want to migrate progressively, set FORCE_PHPSECLIBV3_MIGRATION to FALSE (in file ./includes/config/include.php).
• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

New Features

Inactive Users Management by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5083

Administrators can now automate the lifecycle of inactive accounts. You can configure the system to automatically warn users after a specific period of inactivity and, if no login occurs during the grace period, automatically disable or delete the account. This ensures better security compliance and database hygiene.

Inactivity Dashboard & Alerts by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5083

A new status banner in the Users page provides real-time visibility into the management task, while specific badges identify users who have been warned or are pending action.

Bug Fixes & Improvements

Password Reset Stability by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5086

Fixed a technical error in the password strength meter that could occur when a user was forced to change their password (e.g., after an administrator reset). The interface is now more robust during the password update process.

Full Changelog: https://github.com/nilsteampassnet/TeamPass/compare/3.1.6.5...3.1.6.6

Last important topics

• 3.1.6.0 - Migration is forced when user is login. If you want to migrate progressively, set FORCE_PHPSECLIBV3_MIGRATION to FALSE (in file ./includes/config/include.php).
• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

Overview

Version 3.1.6.5 is a stability and reliability release focused on encryption key management. It addresses several critical issues that could cause empty passwords, HTTP 500 errors, or account lockouts — particularly for LDAP/AD environments and after admin key regeneration operations.

What's Changed

Critical Fixes

Empty passwords on recently created items

A race condition could cause the user's private_key and public_key to become desynchronized. When this happened, sharekeys for new items were encrypted with a public key that no longer matched the private key — resulting in empty passwords displayed to the user. The write order has been corrected across all key generation paths (handleUserKeys, generateOneTimeCode, password change, profile update).

If you already have affected users (can see items but passwords appear empty for recently created ones while older items still work): use the "Generate new keys" action from the Users administration page (see below).

HTTP 500 when viewing items (auto_reencryption_failed in log_system)

Decryption failures in custom fields or item data could trigger an unhandled exception and crash the entire page load. Decryption is now wrapped in try/catch: the item loads normally and a warning toast identifies which specific fields could not be decrypted.

AD/LDAP users locked out after account reactivation

When a disabled AD account was reactivated, the password hash was updated before key recovery completed. If recovery failed, subsequent logins would silently use corrupted encryption keys, causing 500 errors when accessing items. The authentication flow now only updates the password hash after successful key recovery.

Transparent recovery data not persisted

When user RSA keys were regenerated (admin password reset, recovery code, admin key regeneration), the transparent recovery fields (user_derivation_seed, private_key_backup, key_integrity_hash) were not saved to the database. This caused attemptTransparentRecovery() to fail with key_integrity_check_failed for AD/LDAP users who changed their password, ultimately disabling their account. All key regeneration paths now persist recovery data correctly.

Locked account producing no feedback

When an account was disabled, the login page showed no error message. The error response format has been fixed so users now see a clear "account is locked" notification.

Encryption Key Architecture Change

Private keys now read from user_private_keys table
All read paths for user private keys have been migrated from the teampass_users.private_key column to the teampass_user_private_keys table (filtered on is_current = 1). The private_key column in teampass_users is still written to (dual-write) for backward compatibility but is no longer the source of truth.

The upgrade script ensures the TP_USER account has its private key properly stored in user_private_keys.

New Admin Features

"Generate new keys" action in Users administration

A new option is available in the user action menu on the Users page. When triggered (with confirmation), it regenerates all sharekeys and the user's public, private, and seed keys. The user can then log in with their normal password and access all shared passwords again. Note: personal item passwords are lost when using this action — the user will be prompted to re-encrypt personal items with their old password if applicable.

On-the-fly backup comments by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5073

On-the-fly backups now support an optional comment field. You can add a comment when creating a backup and edit comments on existing backups from the backup list. Comments are stored in the .meta.json sidecar file and displayed in the backup table.

phpseclib v3 Migration Fix

The sharekey migration from phpseclib v2 to v3 had two issues:

• Updated sharekeys kept their old encryption_version=1 instead of being marked as v3
• Migration could be marked as complete before all sharekeys were actually migrated

Both are fixed. A new CLI repair script is available for users with inconsistent migration state:
php scripts/repair_phpseclib_migration.php --help

Other Changes

• API key regenerated during key regeneration: The API key in the api table was encrypted with the old public key and became undecryptable after key regeneration. It is now automatically regenerated.
• "Generate API key" button moved to the user Profile page.
• "Sync LDAP password" button removed from the user menu (no longer needed).
• Private key decryption failure: instead of a 500 error or misleading "bad credentials" message, users now see a clear toast: "Unable to decrypt your encryption keys. Please contact your administrator to regenerate your keys."
• Personal items preserved during admin key regeneration: personal item sharekeys are no longer deleted when an admin regenerates a user's keys.
• Missing fields in users table fixed in fresh install step 5.
• Fix PHP Warning on Tasks page: undefined receiver_name by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5068
• Fix console error when pressing Enter in Users search by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5074

Repair Scripts

Two CLI scripts are included for diagnosing and repairing existing issues:
Script: scripts/fix_integrity_hash.php
Purpose: Repairs users with missing or incorrect key_integrity_hash / transparent recovery data
────────────────────────────────────────
Script: scripts/repair_phpseclib_migration.php
Purpose: Diagnoses and fixes users with incomplete phpseclib v3 sharekey migration
Run with --help for usage details.

Upgrade Notes

1. Run the standard upgrade process (/install/upgrade.php). The upgrade script will automatically migrate the TP_USER private key to the user_private_keys table.
2. If you have users reporting empty passwords or 500 errors, use the "Generate new keys" action from the Users administration page as a first resolution step.
3. If you upgraded from a version prior to 3.1.6 and some users still have phpseclib v1 sharekeys, run php scripts/repair_phpseclib_migration.php --dry-run to check and --fix to repair.
4. For AD/LDAP environments: users who were previously locked out with auto_reencryption_critical_failure can be repaired by running php scripts/fix_integrity_hash.php.

Full Changelog: https://github.com/nilsteampassnet/TeamPass/compare/3.1.6.3...3.1.6.5

Last important topics

• 3.1.6.0 - Migration is forced when user is login. If you want to migrate progressively, set FORCE_PHPSECLIBV3_MIGRATION to FALSE (in file ./includes/config/include.php).
• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

Overview

Version 3.1.6.4 is a stability and reliability release focused on encryption key management. It addresses several critical issues that could cause empty passwords, HTTP 500 errors, or account lockouts — particularly for LDAP/AD environments and after admin key regeneration operations.

What's Changed

Critical Fixes

Empty passwords on recently created items

A race condition could cause the user's private_key and public_key to become desynchronized. When this happened, sharekeys for new items were encrypted with a public key that no longer matched the private key — resulting in empty passwords displayed to the user. The write order has been corrected across all key generation paths (handleUserKeys, generateOneTimeCode, password change, profile update).

If you already have affected users (can see items but passwords appear empty for recently created ones while older items still work): use the "Generate new keys" action from the Users administration page (see below).

HTTP 500 when viewing items (auto_reencryption_failed in log_system)

Decryption failures in custom fields or item data could trigger an unhandled exception and crash the entire page load. Decryption is now wrapped in try/catch: the item loads normally and a warning toast identifies which specific fields could not be decrypted.

AD/LDAP users locked out after account reactivation

When a disabled AD account was reactivated, the password hash was updated before key recovery completed. If recovery failed, subsequent logins would silently use corrupted encryption keys, causing 500 errors when accessing items. The authentication flow now only updates the password hash after successful key recovery.

Transparent recovery data not persisted

When user RSA keys were regenerated (admin password reset, recovery code, admin key regeneration), the transparent recovery fields (user_derivation_seed, private_key_backup, key_integrity_hash) were not saved to the database. This caused attemptTransparentRecovery() to fail with key_integrity_check_failed for AD/LDAP users who changed their password, ultimately disabling their account. All key regeneration paths now persist recovery data correctly.

Locked account producing no feedback

When an account was disabled, the login page showed no error message. The error response format has been fixed so users now see a clear "account is locked" notification.

Encryption Key Architecture Change

Private keys now read from user_private_keys table
All read paths for user private keys have been migrated from the teampass_users.private_key column to the teampass_user_private_keys table (filtered on is_current = 1). The private_key column in teampass_users is still written to (dual-write) for backward compatibility but is no longer the source of truth.

The upgrade script ensures the TP_USER account has its private key properly stored in user_private_keys.

New Admin Features

"Generate new keys" action in Users administration

A new option is available in the user action menu on the Users page. When triggered (with confirmation), it regenerates all sharekeys and the user's public, private, and seed keys. The user can then log in with their normal password and access all shared passwords again. Note: personal item passwords are lost when using this action — the user will be prompted to re-encrypt personal items with their old password if applicable.

On-the-fly backup comments by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5073

On-the-fly backups now support an optional comment field. You can add a comment when creating a backup and edit comments on existing backups from the backup list. Comments are stored in the .meta.json sidecar file and displayed in the backup table.

phpseclib v3 Migration Fix

The sharekey migration from phpseclib v2 to v3 had two issues:

• Updated sharekeys kept their old encryption_version=1 instead of being marked as v3
• Migration could be marked as complete before all sharekeys were actually migrated

Both are fixed. A new CLI repair script is available for users with inconsistent migration state:
php scripts/repair_phpseclib_migration.php --help

Other Changes

• API key regenerated during key regeneration: The API key in the api table was encrypted with the old public key and became undecryptable after key regeneration. It is now automatically regenerated.
• "Generate API key" button moved to the user Profile page.
• "Sync LDAP password" button removed from the user menu (no longer needed).
• Private key decryption failure: instead of a 500 error or misleading "bad credentials" message, users now see a clear toast: "Unable to decrypt your encryption keys. Please contact your administrator to regenerate your keys."
• Personal items preserved during admin key regeneration: personal item sharekeys are no longer deleted when an admin regenerates a user's keys.
• Missing fields in users table fixed in fresh install step 5.

Repair Scripts

Two CLI scripts are included for diagnosing and repairing existing issues:
Script: scripts/fix_integrity_hash.php
Purpose: Repairs users with missing or incorrect key_integrity_hash / transparent recovery data
────────────────────────────────────────
Script: scripts/repair_phpseclib_migration.php
Purpose: Diagnoses and fixes users with incomplete phpseclib v3 sharekey migration
Run with --help for usage details.

Upgrade Notes

1. Run the standard upgrade process (/install/upgrade.php). The upgrade script will automatically migrate the TP_USER private key to the user_private_keys table.
2. If you have users reporting empty passwords or 500 errors, use the "Generate new keys" action from the Users administration page as a first resolution step.
3. If you upgraded from a version prior to 3.1.6 and some users still have phpseclib v1 sharekeys, run php scripts/repair_phpseclib_migration.php --dry-run to check and --fix to repair.
4. For AD/LDAP environments: users who were previously locked out with auto_reencryption_critical_failure can be repaired by running php scripts/fix_integrity_hash.php.

Full Changelog: https://github.com/nilsteampassnet/TeamPass/compare/3.1.6.3...3.1.6.4

Last important topics

• 3.1.6.0 - Migration is forced when user is login. If you want to migrate progressively, set FORCE_PHPSECLIBV3_MIGRATION to FALSE (in file ./includes/config/include.php).
• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

• New Features
  • Add Operational Usage Dashboard to Statistics (Users/Roles/Items + Password Secure Score) by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5059
  • Inactive users management (never connected / inactivity thresholds) + aligned confirmation modals by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5060
  • Add small card for extension promotion in admin page
  • Add trigger file mechanism for immediate background task processing (avoids waiting for next cron cycle up to 60s)
  • Automatic User Provisioning via Active Directory (using specific option)
• Bug Fixes
  • Fix recycle bin: restore stability, full origin paths, and consistent soft-delete behavior (phpseclib v3) by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5058
  • Fix: Prevent premature session expiration
  • Fix AD group to Teampass role mapping (using getUserADGroups() for posixGroup memberuid comparison)
  • Implement dynamic visible folder construction for new AD users (empty cache)
  • Add buildUserVisibleFolderIds() to calculate access based on roles
  • Add safety checks for JSON parsing in cache processing
• Updates
  • Various updates on users, statistics, admin, utilities, folders pages

Full Changelog: https://github.com/nilsteampassnet/TeamPass/compare/3.1.6.2...3.1.6.3

Last important topics

• 3.1.6.0 - Migration is forced when user is login. If you want to migrate progressively, set FORCE_PHPSECLIBV3_MIGRATION to FALSE (in file ./includes/config/include.php).
• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

• Security:
  • XSS Protection: Centralized output sanitization across the codebase:
    • Added secureStringWithAntiXss(): Recursively cleans strings, arrays, and objects using the AntiXSS library
    • Added secureOutput(): Applies htmlspecialchars() with UTF-8 encoding to specified fields
    • Secured user login and email data in users list
    • Secured activity log data and search results
    • Added input sanitization for imported CSV data
• LDAP/OpenLDAP:
  • Fixed LDAP group synchronization for OpenLDAP servers without memberof attribute
    • Fetch groups separately and build reverse user→groups mapping
    • Support for posixGroup (memberUid), groupOfNames, and groupOfUniqueNames
    • Display user's LDAP groups with status icons in sync interface (exists in Teampass, user has role, add role)
    • Fixed role assignment using users_roles table instead of obsolete fonction_id column
• Background Tasks:
  • Tasks are now processed in parallel (max 2 concurrent tasks)
  • Tasks are treated until the pool is empty
• Import:
  • Fixed: A single item inside a folder has its password encryption corrupted
  • Force cache_tree rebuild for user after import
• Items
  • Improved management of item sharekey creation

• Bug Fixes:
  • Fix for #5050
  • Fix potential variable non-initialization

Full Changelog: https://github.com/nilsteampassnet/TeamPass/compare/3.1.6.1...3.1.6.2

Last important topics

• 3.1.6.0 - Migration is forced when user is login. If you want to migrate progressively, set FORCE_PHPSECLIBV3_MIGRATION to FALSE (in file ./includes/config/include.php).
• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

• Fix: restore API connected users visibility in Utilities Database by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5048
• Removed deleted users from admin page statistics
• Ensured that new user has correct phpseclib version
• Fix https://github.com/nilsteampassnet/TeamPass/issues/5046:
  • Fixed user key encryption using SHA-256 to match declared encryption_version 3
  • Fixed aesDecrypt() returning false instead of throwing exception, preventing SHA-256/SHA-1 fallback
  • Fixed attemptTransparentRecovery() not returning private_key_clear on success
  • Fixed AD users first login: private key is now re-encrypted with AD password via transparent recovery
  • Fixed null private key passed to decryptUserObjectKey() during login
• Fix #5046 - Ensured the encryption settings were correctly set

Full Changelog: https://github.com/nilsteampassnet/TeamPass/compare/3.1.6.0...3.1.6.1

Last important topics

• 3.1.6.0 - Migration is forced when user is login. If you want to migrate progressively, set FORCE_PHPSECLIBV3_MIGRATION to FALSE (in file ./includes/config/include.php).
• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

• Migration phpseclib v1 → v3 (SHA-1 → SHA-256) by @nilsteampassnet in https://github.com/nilsteampassnet/TeamPass/pull/5033
• Fix add and remove favorite items by @cosmedd in https://github.com/nilsteampassnet/TeamPass/pull/5036
• Fix the copy URL button in search results by @cosmedd in https://github.com/nilsteampassnet/TeamPass/pull/5037
• CLI-based restore authorization (web UI prepares, CLI executes) by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5041
• Logs: distinguish Web vs API/Extension sources, fix ordering, purge & duplicates by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5044
• Fix: Show item description preview consistently in Items tree by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5045

New Contributors

• @cosmedd made their first contribution in https://github.com/nilsteampassnet/TeamPass/pull/5036

Full Changelog: https://github.com/nilsteampassnet/TeamPass/compare/3.1.5.26...3.1.6.0

Last important topics

• 3.1.6.0 - Migration is forced when user is login. If you want to migrate progressively, set FORCE_PHPSECLIBV3_MIGRATION to FALSE (in file ./includes/config/include.php).
• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

• Backup integrity: add restore compatibility checks + metadata sidecar by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5027
• API - Fix password complexity check error in some cases

Full Changelog: https://github.com/nilsteampassnet/TeamPass/compare/3.1.5.25...3.1.5.26

Last important topics

• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

• Add users control to backup functions by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5018
• Fix log purge breaking item access by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5024
• Display api extension connected users in utilities database by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5026
• Fix - an import file might not be deleted if import process fails
• Fix vulnerability - Arbitrary JavaScript code is automatically executed in the administrator's browser when viewing failed login entries
• Fix vulnerability - Application does not properly sanitize or encode user-input data during the import process
• API - Several adjustements in order to provide features to Teampass browser extension
  • Add maintenance_mode in API auth JWT
  • Favicon_url is stored
• Fix - Docker build
• Updated copyright year

Full Changelog: https://github.com/nilsteampassnet/TeamPass/compare/3.1.5.23...3.1.5.24

Last important topics

• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

• API - New field "favicon_url" added
• Code adjustments in backup files

Full Changelog: https://github.com/nilsteampassnet/TeamPass/compare/3.1.5.21...3.1.5.23

Last important topics

• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

• Feature Update: Introduction of Scheduled Backup and Enhanced On-the-Fly Restore Process by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5017
• Fix in API itemModel while creating an item

Full Changelog: https://github.com/nilsteampassnet/TeamPass/compare/3.1.5.19...3.1.5.21

Last important topics

• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

What's Changed

• Feature Update: Introduction of Scheduled Backup and Enhanced On-the-Fly Restore Process by @guerricv in https://github.com/nilsteampassnet/TeamPass/pull/5017

Full Changelog: https://github.com/nilsteampassnet/TeamPass/compare/3.1.5.19...3.1.5.20

Last important topics

• 3.1.5.10 - Refactor: Remove user password sanitization (see documentation)
• 3.1.5.2 - New: Personal items migration phase implemented with improved management (see documentation)
• 3.1.5.0 - New: transparent user password recovery in case of password change in external AD (please read documentation)

Important

• Requires at least PHP 8.1
• New password library implemented, read about impacts

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.