Critical bug: user not recognized despite valid local storage (Passbolt 5.10.x)

Installation Issues
1

Checklist
I have read intro post: https://community.passbolt.com/t/about-the-installation-issues-category/12
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Good morning mates, here is the bug I noticed using the passbolt extension (5.10.X on Chrome and 5.9.X on Firefox). Easy to reproduce I guess.

Context

  • Passbolt server: 5.10.0

  • Chrome extension: 5.10.4

  • URL: Self hosted environment, has been working fine for last 3 years, always up to date

  • Server environment:

    • healthcheck :white_check_mark: OK

    • GPG :white_check_mark: OK

    • server keys consistent

    • no blocking warnings

:red_exclamation_mark: Issue

During user setup (invitation or recovery kit):

  • User is successfully authenticated (isAuthenticated: true)

  • Keys are generated/imported

  • BUT:

    • unable to decrypt own passwords

    • passwords appear greyed out in UI

    • no server-side errors

    • extension errors:

The user is not set
The user id cannot be empty

Technical analysis (Chrome extension)

Inspection of chrome.storage.local:

:check_mark: Data present

  • _passbolt_data.config:

    • user.id = 807e1aa3-b635-4f18-be76-************

  • auth_status.isAuthenticated = true

  • public keys present

  • private key present

  • resources present

:cross_mark: Critical inconsistency

User public key:

user_id = 807e1aa3-b635-4f18-be76-************

User private key:

user_id = MY_KEY_ID   ❌

:backhand_index_pointing_right: The private key is stored with an incorrect identifier (MY_KEY_ID) instead of the actual user UUID.

.

:bullseye: Impact

  • The extension cannot associate the private key with the current user

  • Result:

    • unable to decrypt passwords

    • inconsistent state:

      • user authenticated

      • data present

      • but user not recognized

  • recognized

:test_tube: Tests performed

  • :repeat_button: Full browser reset (Firefox + Chrome)

  • :broom: Extension removal + clean reinstall

  • :bust_in_silhouette: User recreated

  • :key: Tested with valid recovery kit

  • :floppy_disk: Verified extension storage (chrome.storage.local)

  • :writing_hand: Storage write test → OK

  • :desktop_computer: Server fully validated (healthcheck, datacheck)

:right_arrow: Issue is reproducible in a clean environment

:pushpin: Steps to reproduce

  1. Install Passbolt extension 5.10.x

  2. Setup user (invitation or recovery kit)

  3. Inspect chrome.storage.local

  4. Observe:

    • config.user.id = real UUID

    • private key user_id = MY_KEY_ID

Here is my server healtchek report:

Environment

[INFO] Linux ov-34f48f 6.8.0-106-generic #106-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 6 07:58:08 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux
[PASS] PHP version 8.3.6.
[PASS] PHP version is 8.2 or above.
[PASS] 64-bit architecture system detected.
[INFO] gpg (GnuPG) 2.4.4 / libgcrypt 1.10.3
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory /var/log/passbolt/ and its content are writable.
[PASS] System clock is synchronized and NTP service is active.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Cache is working.
[PASS] Debug mode is off.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://pw.swebetech.com
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates.
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate.

SMTP settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled.
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one.
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[PASS] Using latest passbolt version (5.10.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema is up to date.

Database

[PASS] The application is able to connect to the database
[PASS] 35 tables found.
[PASS] Some default content is present.
[PASS] The database version is supported.

Metadata

[PASS] The server is able to decrypt the metadata private key.
[PASS] Active metadata key found or not required.
[PASS] The server has access to the metadata keys or does not require access to it.
[PASS] The server metadata private key is valid.

[PASS] No error found. Nice one, sparky!

Thanks in advance for you help, let me know if I can provide you with anything else.

Cheers,

Romain