Passbolt Windows Application 2.7.0 introduces full compatibility with dynamic role management, allowing the Windows application to support additional roles that better align with internal policies and compliance requirements. This release also adds drag & drop user assignment to groups and implements stronger protection against clickjacking and deceptive overlays.

Dynamic Role Management Compatibility

The Windows application is now fully compatible with the Dynamic Role Management system introduced in version 5.8. While the creation and definition of roles remain exclusive to the browser extension, this application strictly enforces the associated scopes and constraints.

The default Admin and User roles remain fixed. The Admin role retains access to all capabilities and cannot be restricted, while the User role respects any defined restrictions but cannot perform delegated administrative tasks.
Users assigned to custom roles are also fully supported. The application recognizes the specific capabilities granted to these new roles, currently limited to two per instance. As the scope of dynamic roles expands in the future, the Windows application will adapt to support additional use cases.

As the scope of dynamic roles expands in future updates based on community feedback, the Windows application will continue to evolve to support these new use cases.

Drag & drop users to groups

Managing group membership often requires repetitive actions when working with large teams or frequently changing group structures. Administrators can now add users to a group by dragging them directly onto it from the Users & Groups workspace. This removes the need to open and edit each group individually, making day-to-day group management faster and more fluid.

Stronger protection against clickjacking and deceptive overlays

Clickjacking and overlay techniques aim to trick users into clicking something different from what they believe they are interacting with. This release reinforces defenses against these UI-level attacks in edge-case conditions, including scenarios where a compromised context tries to influence user interactions.

In practice, this extra layer of strengthening helps ensure users cannot be guided into interacting with sensitive Passbolt components when those components are not fully visible and clearly presented to them.

Miscellaneous improvements

As usual, this release includes fixes and smaller improvements intended to improve the overall experience. For the full list of changes, please refer to the changelog.
Many thanks to everyone who provided feedback and helped refine these features.

Passbolt Windows Application 2.6.1 restores ARM64 architecture support, which was inadvertently missing from the 2.6.0 release. The Windows application now properly supports all four CPU architectures: x64, x86, ARM, and ARM64.

Fixed

• PB-47634 Update csproj to accept arm64 architecture

Passbolt Windows Application 2.6.0 introduces secret history, a highly demanded feature that gives users visibility and control over previous versions of their secrets. This release also includes several usability improvements requested and bug fixes reported by the community.

Secret history

It is now possible to access previous revisions of a secret directly from Passbolt.

Secret history helps reduce the impact of human error and offers a safer way to manage evolving secrets. For instance, this enables users to undo an accidental update on the spot. Note that the feature is disabled by default and requires an administrator to enable it from the administration workspace.

User and group workspace improvements

A new “Remove from group” action has been added to the user and group workspace. This addition eliminates the confusion between permanently deleting a user and simply removing them from a specific group.

Moreover, administrators can now instantly filter users that require attention via the “Attention Required” filter in the workspace. For instance: identifying users with a pending account recovery request to review, or missing metadata keys.

Import report

The application now displays a summary dialog after an import, offering accurate and actionable information. The report precisely categorises alerts into successes, warnings and errors, providing end users with additional logs.

Miscellaneous Improvements

As usual this release is packed with improvements and bug fixes reported by the community. For more, check out the changelog below.

Many thanks to everyone who provided feedback, reported issues, and helped refine these new features.

Added

• PB-17712 Focus should be put in the passphrase field when importing keepass file protected by passphrase
• PB-33599 Allow users to access previous revisions of a resource’s secret
• PB-33599 Allow administrators to configure how many secret revisions are retained
• PB-44420 Allow administrators to download the Users Directory sync report for follow-up actions
• PB-44434 As an administrator I can see encrypted metadata healthchecks from the administration workspace
• PB-45249 Add “Attention required” filter in the “Users & groups” workspace to filter users by attention required
• PB-45842 Add link to SCIM admin guide in the product
• PB-46427 Add remove from group button in User & Group Workspace page
• PB-46941 Windows application should be compatible with 5.7.0
• PB-46846 As a windows application I should catch the unexpected error to display it to a dialog

Fixed

• PB-18497 Add loading spinner when submitting imported GPG key during account extension association (activation/recover)
• PB-36183 Display UTC date in tooltip for relative “X days ago” timestamps
• PB-42032 Fix: update passphrase help section link goes to the former help site
• PB-43950 Add padding between fields and their description on the Users Directory administration page
• PB-44603 Help link in administration internationalization page should target the contribute page of the help site
• PB-44949 GITHUB#240 Inform menu crash on suggested resource icon
• PB-45263 Enforce password expiry on imported resources when a password policy requires it
• PB-45588 Extend metadata description textarea in resource creation dialog to use full available height
• PB-45699 User without groups is not display correctly on the right sidebar
• PB-45723 The in-form CTA is not visible since v5.5 for some web application
• PB-45797 Fix typos in BExt
• PB-45917 I can autofill my username in the login form of cryptpad in French
• PB-45992 Keep selection of resources when collapsing the Workspace section
• PB-46013 Empty Full Report textarea displayed in Users Directory dialogs when there are no resources to synchronize
• PB-46065 Prevent re-encryption of metadata with personal user key when a resource is shared with a group
• PB-46118 Import unexpected error handling on import
• PB-46191 Update UserSettings validateDomain to make sure the issue cannot be exploited
• PB-46372 As LU, I should see the content share dialog within the boundaries of the dialog
• PB-46385 Fix auto-fill on OVH with custom selector field on username

Maintenance

• PB-30373 Remove unused event passbolt.app-bootstrap.navigate-to-logout
• PB-45099 Update: Regular expression on private key metadata validation
• PB-45100 Update: Regular expression on GPG Message validation
• PB-45585 Fix SCIM styleguide related unit tests error
• PB-45589 Refactor resource favorite capability to use FavoriteServiceWorkerService instead of direct port requests
• PB-45590 Migrate favorite logic from FavoriteModel to FavoriteResourceService and remove legacy model
• PB-45591 Route passbolt.favorite.add/delete events through controllers instead of calling services directly
• PB-45593 Add test coverage for FavoriteService API and rename class to align with Passbolt standard
• PB-45678 Upgrade ESLint dependencies across both repositories
• PB-45835 Migrate group (partially) related code to new architecture
• PB-45894 Rename leftSideBar and rightSideBar classes to respect naming convention
• PB-45963 Replace find-all with find-my-groups Port Requests
• PB-45965 Rename groupService to groupApiService
• PB-46127 Update i18next dependency
• PB-46190 Update themeEntity to remove preview unused field
• PB-46891 Small upgrade for js-yaml (Medium) - passbolt-windows
• PB-47110 Small upgrade for xregexp (High)
• PB-46829 Object deserialization can lead to remote code execution (Medium) - passbolt-windows
• PB-46894 Provide a packe.lock.json file for Aikido to improve dependencies scanning
• PB-46095 Migrate application from UWP to WinUI 3

Passbolt Windows Application 2.4.0 ships with the zero-knowledge for encrypted metadata feature available with API 5.5.0. Zero-knowledge for encrypted metadata is intended for organisations that prioritise maximum privacy and can do without server-side auditability. In this mode, the server never receives the shared metadata private key and therefore cannot access any resource metadata.

When a new user joins, the server does not automatically share the key with them. Instead, administrators are notified by email once the user has completed their activation and is ready to receive access. From the Users & Groups workspace, administrators can then review the situation and share the key when the time is right.

Until a user receives the key, their experience is intentionally limited: actions that depend on the shared metadata key, such as sharing a resource, moving a private item into a shared folder, or creating content meant to be shared, are blocked.

To know more about the encrypted metadata zero-knowledge mode, check out this blog post.

Many thanks to everyone who took the time to file issues and suggest improvements.
Check out the changelog for more information.

[2.5.0] - 2025-09-17

Added

• PB-43921 - Increase directory sync report dialog size
• PB-44393 ZK - WP5.1 As an administrator I should be able to enable zero knowledge mode
• PB-44646 ZK - WP5.3 Add share metadata private keys to MetadataKeysSettingsEntity
• PB-44641 ZK - WP5.4 Create UpdateMetadataSettingsPrivateKeyService to to be able to disabled zero knowledge mode
• PB-44631 ZK - WP5.5 Update SaveMetadataKeysSettingsController to be able to disabled zero knowledge mode
• PB-44757 ZK - WP5.6 As an administrator with missing metadata keys I should not be able to change metadata settings

Fixed

• PB-44638 - Password expiry should not be removed when password is not updated
• PB-44604 - Fix regular expression on public key metadata validation
• PB-45060 - Fix custom fields json schema properties type
• PB-44933 - Fix setup a new user should have missing key set

Maintenance

• PB-44594 - Upgrade xregexp to 5.1.2

Passbolt Windows Application 2.4.0 ships with the zero-knowledge for encrypted metadata feature available with API 5.5.0. Zero-knowledge for encrypted metadata is intended for organisations that prioritise maximum privacy and can do without server-side auditability. In this mode, the server never receives the shared metadata private key and therefore cannot access any resource metadata.

When a new user joins, the server does not automatically share the key with them. Instead, administrators are notified by email once the user has completed their activation and is ready to receive access. From the Users & Groups workspace, administrators can then review the situation and share the key when the time is right.

Until a user receives the key, their experience is intentionally limited: actions that depend on the shared metadata key, such as sharing a resource, moving a private item into a shared folder, or creating content meant to be shared, are blocked.

To know more about the encrypted metadata zero-knowledge mode, check out this blog post.

Many thanks to everyone who took the time to file issues and suggest improvements.
Check out the changelog for more information.

[2.4.0] - 2025-09-17

Added

• PB-43921 - Increase directory sync report dialog size
• PB-44393 ZK - WP5.1 As an administrator I should be able to enable zero knowledge mode
• PB-44646 ZK - WP5.3 Add share metadata private keys to MetadataKeysSettingsEntity
• PB-44641 ZK - WP5.4 Create UpdateMetadataSettingsPrivateKeyService to to be able to disabled zero knowledge mode
• PB-44631 ZK - WP5.5 Update SaveMetadataKeysSettingsController to be able to disabled zero knowledge mode
• PB-44757 ZK - WP5.6 As an administrator with missing metadata keys I should not be able to change metadata settings

Fixed

• PB-44638 - Password expiry should not be removed when password is not updated
• PB-44604 - Fix regular expression on public key metadata validation
• PB-45060 - Fix custom fields json schema properties type
• PB-44933 - Fix setup a new user should have missing key set

Maintenance

• PB-44594 - Upgrade xregexp to 5.1.2

Passbolt Windows Application 2.3.2 fixes an issue introduced in version 2.3.0. The clipboard protection feature, which cleared the clipboard 30s after copying a secret, was causing the application to crash. Clipboard flushing has been temporarily disabled to allow users to access their secrets. We are investigating how to fix the crash and re-enable this security feature in a future release.

Many thanks to everyone who reported the issue.

Fixed

• PB-45095: Copy username or password did nothing

Passbolt Windows Application 2.3.1 is fixing an issue introduced during the version 2.1.0. When a user wanted to copy its password or its username, the clipboard was not working anymore and we solved it by adding the Clipboard feature done during the bext version 5.3.2 .

The new clipboard flush timer lets you copy secrets just long enough to use them; clipboard data is automatically cleared when the countdown (30s) expires, significantly reducing the risk of accidental exposure or leaks from forgotten clipboard content.

Many thanks to everyone who reported issues. Your feedback made this release possible and solves issues to all users today.

[2.3.1] - 2025-09-04

Fixed

• feature/PB-45095_Windows-app-copy-username-or-password-does-nothing

Passbolt Windows application 2.2.1 is a hot fix release that restores protected actions like creating and editing resources on some API servers behind a proxy. If you saw CSRF errors, install 2.2.1 and try again.

Thanks to everyone who reported the issue. See the changelog for details.

[2.2.1] - 2025-08-01

Fixed

• PB-43969 CSRF token in request body or headers does not match or is missing on the windows app

Passbolt Windows application 2.2.1 is a hot fix release that restores protected actions like creating and editing resources on some API servers behind a proxy. If you saw CSRF errors, install 2.2.1 and try again.

Thanks to everyone who reported the issue. See the changelog for details.

Fixed

PB-43969 CSRF token in request body or headers does not match or is missing on the windows app

Windows passbolt 2.2.0 adds custom fields, one of the five most‑requested features from the community. Built on top of encrypted‑metadata introduced earlier this year, custom fields let users attach additional key‑value pairs to a resource or as a standalone one. Typical use‑cases include centralising CI/CD job variables and storing environment‑specific configuration values that need more structure than a general note.

Custom fields rely on encrypted metadata, therefore the feature is still in beta and is not yet available on Passbolt Cloud. A step‑by‑step guide on how to enable the encrypted metadata on a self‑hosted instance will be available in a blog post that will be published soon. The encrypted‑metadata feature is scheduled to be marked as stable in Passbolt 5.4, planned for August 2025.

Several bugs reported by the community have also been fixed. As always, thank you to everyone who took the time to file issues, test patches and suggest improvements. For a complete list of changes, consult the changelog.

Added

• PB-43269 Create the entity CustomFieldEntity
• PB-43271 Create the entity collection CustomFieldsCollection
• PB-43273 Create the entity SecretDataV5StandaloneCustomFieldsCollection
• PB-43275 Update the resource types schema definitions
• PB-43277 Update the ResourceMetadataEntity
• PB-43278 Update the ResourceFormEntity
• PB-43279 Update the Secret Entities
• PB-43283 Display a new entry the create/edit dialog to set custom fields on the left sidebar and the menu
• PB-43284 Create the CustomFieldForm for the create/edit dialog
• PB-43285 Handle the CustomFieldForm warnings and limitation
• PB-43286 Update create/edit resource to select secret custom fields for a standalone custom fields
• PB-43287 Display the Custom Fields section on the right sidebar
• PB-43289 Display standalone custom fields in the component DisplayResourceCreationMenu
• PB-43290 Display standalone custom fields in the component DisplayResourcesWorkspaceMainMenu
• PB-43291 Display the URIs section in the right sidebar
• PB-43374 Add validation on keys and values of each elements of custom fields for the resource form entity
• PB-43377 Add set collection into entity v2
• PB-43145 Find a list of resources based on IDs and that are suitable for local storage from the API
• PB-43146 Find a list of resources based on a parent folder id and that are suitable for the local storage from the API
• PB-43133 Display padding below tags in resource workspace left sidebar
• PB-42185 The folder caret that expands or collapses folders in the tree should have a larger clickable area to make it easier to use
• PB-43222 Improve the group dialog to match the new share dimensions
• PB-43147 Find and update resources based on parent folder id for the local storage
• PB-43148 Create a connector for finding resources based on a parent id for the styleguide to call it later
• PB-43149 Create a ResourcesServiceWorkerService to call the service worker for resource related operations
• PB-43150 Implement the optimidsed call in the Styleguide when filtering by a folder
• PB-43151 Optimise the data retrieved from the API such that updates are not done if unnecessary
• PB-43156 Clarify implications for backups and other devices before changing the passphrase in the user settings workspace
• PB-43489 Display unexpected error if there is any issue during the secret decryption

Fixed

• PB-43109 Fix: from the sidebar when upgrade from v4 to v5 goes wrong the error message in the notification
• PB-43118 Hide the "Share metadata keys" button in the users workspace action bar for the current signed-in user
• PB-43215 Fix account recovery creator name
• PB-43063 Fix group edit dialog double warning message has broken UI
• PB-43117 Hide the "Share metadata keys" button in the users workspace action bar after sharing missing metadata keys with a user
• PB-43064 Fix group edit dialog can show a mix of error and warning messages
• PB-43150: fix folder not being reloaded
• PB-43424 Clicking on the "open in a new tab” call to action in the quick application should open the resource url in a new tab
• PB-43108 Display attention required icon on "metadata keys" label in the user details sidebar if the user is not having access to some metadata keys
• PB-43217 The default icon stroke width is too thick in the grid and doesn't match the custom icons
• PB-43220 Copy URL field action button lacks padding and is broken in the SSO settings
• PB-43168 Align vertically resources workspace select check-boxes
• PB-43211 The feedback message notifying the administrator when a metadata key has been shared with a user contains a typo
• PB-43471 Center vertically the icon on the create and edit dialog