Passwork 7.2.4 update is available in the Customer portal.
Fixed an issue in the Security dashboard where the threat warning about a password being viewed via an expired link disappeared after deleting that link: the threat warning now persists until the password is changed
Fixed an issue where after setting up 2FA, authentication apps (e.g., Google Authenticator) displayed incorrect text instead of the user's login
Fixed PIN logic in the browser extension: now when a PIN is deleted or after three failed attempts, only the current session is reset
Fixed an issue where the Enter key was incorrectly handled in the "Background task history retention period" field
Fixed an issue where a folder would only open after double-clicking on its name
Fixed an issue where email notifications could be sent to blocked and unconfirmed users when vault access was changed
Fixed an issue where the directory filter reset button did not work in the Activity log
Minor improvements to UI and localization
You can find all information about Passwork updates in our release notes
In the new releases, we’ve added the capability to display a company logo in the Passwork interface, improved event display in the Activity log and Notifications settings, and fixed several UI issues.
Improvements
Added the capability to display a company logo in the upper left corner of the interface: specify the image path in the APP_LOGO_PATH parameter of the configuration file (recommended format and size: PNG, 200×80 px)
Improved event display in Activity log and Notification settings: now only relevant events are shown depending on the encryption type
Added automatic logout from the mobile app and browser extension when a user's master password is changed: previously, changing the master password could cause errors in the app and extension
Changed the behavior of the "Reset filter" button in filter modal windows: the window now remains open after reset
Added icons for system events in the Activity log
Improved event descriptions in the Activity log
Bug fixes
Fixed an issue where multiple tags could display as a single element in the password details window in Security dashboard
Fixed an issue where some toggles in the "Role-based user management" section remained active when necessary permissions were missing
Fixed an issue where the “Set as owner” button could be unavailable (non-client-side encryption version)
Minor fixes to UI and localization
You can find all information about Passwork updates in our release notes
The new Python connector version 0.1.5 expands CLI utility capabilities. We've added commands that solve critical tasks for DevOps engineers and developers — secure retrieval and updating of secrets in automated pipelines.
What this solves
Hardcoded secrets, API keys, tokens, and database credentials create security vulnerabilities and operational bottlenecks. Manual secret management introduces delays and human error into deployment pipelines. The new get and update commands in passwork-cli fully automate secrets management. Passwork functions as your single source of truth (SSOT): secrets stay centralized, secure, and fully automated.
How the new commands work
get — retrieves data from Passwork
update — updates data in Passwork
Both commands support all field types: passwords, tokens, API keys, and custom fields.
Get: Retrieving data from entries
The get command extracts any field value from an entry and fits perfectly into automation scripts.
Retrieving specific fields
Use the --field flag to extract login, URL, or values from any custom field.
# Get API access token from custom field 'API_TOKEN'
export API_TOKEN=$(passwork-cli get --password-id "..." --field API_TOKEN)
Generating TOTP codes
If you store two-factor authentication secrets in Passwork, passwork-cli generates the current code directly in your terminal. Use the --totp-code flag.
# Get TOTP code for VPN connection
VPN_TOTP=$(passwork-cli get --password-id "..." --totp-code "VPN_SECRET")
Update: Modifying secrets
The update command changes data in Passwork and automates secret rotation.
Updating custom fields
The --custom-<field_name> flag updates values in custom fields.
# Update API key in entry
passwork-cli update --password-id "..." --custom-API_KEY "new-generated-key"
Bulk updates
Now you can modify multiple fields with a single command.
Both get and update commands fully support Passwork's client-side encryption mode. When using get, all encrypted fields are automatically decrypted using the master key. When executing update, data is first encrypted on your side and only then sent to the server.
The new version introduces customizable notifications with flexible delivery options, enhanced event logging descriptions, expanded CLI functionality, server-side PIN code storage for the browser extension, and the ability to enable client-side encryption during initial Passwork configuration.
Notification settings
We've added a dedicated notification settings section where you can choose notification types and delivery methods: in-app or via email.
Access notification settings in the Notifications section under Account in the settings menu.
Notification settings include two tabs:
Personal — notifications about your authentication events and actions of other users that affect your account
Activity log — notifications about selected events from the activity log. Notifications for events related to vaults, passwords, and tags are available for vaults with "Read" access level or higher.
For each event, you can independently choose how to receive notifications or disable them entirely.
Use the checkboxes in the two columns to the right of the event name:
Bell icon — in-app notifications in Passwork interface
Envelope icon — email notifications to your specified address
Select the desired checkboxes. Settings apply independently for each event type.
PIN in browser extension
The extension PIN is now stored on the server as a cryptographic hash. In the role settings, you can set a maximum user inactivity period, after which the extension will request the PIN to be re-entered, narrowing the window of potential attack and protecting against unauthorized access to an already open session.
How it works
Actions on first extension login:
User authenticates in the extension
If PIN is mandatory for the user's role — a prompt to create one appears
If PIN is optional — the user can enable it voluntarily for additional protection
After successful login, a temporary access session begins — the user works with the extension without re-entering the PIN. Session duration depends on role settings and personal preferences. The PIN is requested again if the user hasn't performed any actions in the extension during the set time period.
If PIN is mandatory for the user's role, it cannot be disabled
Security
Even if someone gains access to a user's session token, they cannot open passwords in the extension without the PIN.
Passwork automatically terminates all sessions when:
PIN code is reset
Three failed entry attempts occur
Mandatory PIN code is enabled for the user's role
User's role is changed to one where PIN code is mandatory
All PIN code actions are recorded in the Activity log
Zero knowledge mode
Added an option to enable client-side encryption (Zero knowledge mode) in the setup wizard during initial Passwork configuration. Previously, this required running a separate script or editing the configuration file.
Zero knowledge mode encrypts all data on the client side, making decryption impossible even if the server is compromised. Each user has their own master password that is never transmitted to the server.
Learn more about Zero knowledge mode in our documentation
Improvements
Added a confirmation modal window for changing role to Owner and restricted the ability to assign this role to users
Added pagination and change indicators in the hidden vaults modal window
Added error information and update and get commands to the CLI utility (details in documentation)
Added the ability to retrieve current TOTP codes via CLI: the command now returns a one-time code instead of the original key
Improved security dashboard analysis: entries with an empty Password field no longer fall into the Weak category and are not evaluated for complexity
Added an option to limit link validity to one day
Improved display of long names and logins in User management
Improved display of inactive items in dropdown menus
Improved event descriptions in Activity log
Improved data import with large numbers of folders
Improved localization
Bug fixes
Fixed an issue where folders were not created during CSV import, causing passwords to import directly to the root directory
Fixed automatic launch of background tasks for loading groups, users, and LDAP sync when saving changes on the Groups and Synchronization tabs, and when starting manual sync in LDAP settings
Fixed display of pagination items when changing the sidebar width
Fixed an issue where pagination in User management could stop working after using the search bar
Fixed import window freezing when uploading files with large amounts of data and when importing vaults containing only folders
Fixed an issue in export where not all passwords could be exported after selecting all directories with the checkbox
Fixed an issue when bulk deleting large numbers of folders from the Bin
Fixed issues when moving columns: overlapping and extending beyond the visible area
Fixed filtering by invite creator: now it is possible to sequentially select different users without resetting the filter
Fixed an issue where checkboxes in access modals were not reset after canceling changes
Fixed an issue where a vault connection request appeared when connecting a user without access (version with client-side encryption)
Fixed an issue where copy and move folder to another vault options were unavailable if folder access was granted through a group without access to the root directory
Fixed an issue where the Move option remained available for folders in directories with "Full access" rights
Fixed an issue where the active tab reset to Users after refreshing the User management page
Fixed an issue in JSON import with structure preservation where passwords from folders could move to the root directory
Fixed KeePass XML import issues when the <UUID> tag is missing and custom fields transfer incorrectly
Fixed an issue where the first password edition was not saved after migration from version 6.x.x
Fixed an issue where attachments stopped downloading from links after preparing for migration in version 5.4.2, with the problem persisting after updating to version 7.x.x
Fixed an issue where links in the access window stopped displaying for some vaults and passwords after updating to version 7.x.x
Fixed an issue in migration from version 6.x.x where user IDs displayed instead of user names in notifications
Fixed user manual links: they now open in a new tab and lead to correct pages
Fixed an issue where favicon failed to display correctly when changing the URL to a site with an unavailable favicon
Fixed an issue where selected items remained highlighted after copying folders by drag-and-drop
Fixed the display of the default role in user creation and confirmation windows
Fixed an issue where the TOTP code would only update after reopening the password card when the key was changed
Other changes
Changed default values for "Access to vault actions" section in Vaults settings
Hidden the "Password sent to group" item from the actions filter in Activity log (version with client-side encryption)
Hidden the Edit menu item in the password send window for users without the appropriate access rights
Hidden the "Connect mobile device" menu item for users who have mobile app usage restricted by their role settings
Important: Passwork requires MongoDB version 7.0 or higher. Earlier versions are not supported and may cause compatibility issues.
You can find all information about Passwork updates in our release notes.
In the new version, we've improved the migration process from older versions of Passwork, enhanced descriptions in the Activity log, and made minor fixes to the UI and localization.
Improvements
Added a restriction that blocks users from changing their own authorization type
Improved migration to Passwork 7 for versions earlier than 5.3
Improved descriptions for certain events in the Activity log
Bug fixes
Fixed an issue where it was impossible to move a folder to the Bin via drag-and-drop if the "Access level required to copy folders and passwords" setting was set to "Action forbidden"
Fixed duplicate "Save settings" button in Vault settings
Fixed the display of parameter change indicators in Vault settings and User management in Safari browser
Fixed incorrect redirect to Recents after successful extension authorization
You can find all information about Passwork updates in our release notes
Further improved clickjacking protection: added blocking of clicks on hidden elements and checking for element overlap and CSS transformations
Fixed an issue when following a link from a notification to a deleted vault or password
Fixed an issue that could cause the extension to log out
Changes in versions 2.0.25 and 2.0.26
In version 2.0.25, pop-up window offering autofill was disabled to test the extension’s resistance to clickjacking attacks. Warnings about suspicious elements on webpages were also added.
In version 2.0.26, autofill pop-ups are available again, and you can now disable them for the entire organization. The extension automatically detects and blocks most common clickjacking methods.
You can disable pop-up autofill suggestions by adjusting the Content scripts setting in the Browser extension section of the system settings (available starting from Passwork 7.1.2).
