Keeper Release Notes

Follow

94 release notes curated from 97 sources by the Releasebot Team. Last updated: Jul 4, 2026

Get this feed:
  • Jul 2, 2026
    • Date parsed from source:
      Jul 2, 2026
    • First seen by Releasebot:
      Jul 4, 2026
    Keeper logo

    Keeper

    Commander 18.0.10

    Keeper adds vault-style passphrase generation, a new PAM action service map command, and expanded KeeperAI connection controls, while also migrating service discovery data to the PAM graph and fixing several SSL, path, ownership, and detection issues.

    New Features

    • Vault-style passphrase generation
    • New pam action service map command to map users to discovered Windows services.
    • KeeperAI setting pam connection ai now supports --enabled / -e and --session-terminate / -st flags to configure resource-level AI settings.

    Improvements

    • PAM graph migration — Service discovery data migrated from the user service graph to the PAM graph.

    Bug Fixes

    • Fixed KEEPER_SSL_CERT_FILE being ignored for SSL verification in REST, PAM, tunnel HTTP, and DAG connections.
    • Fixed nsf-mkdir to correctly resolve existing parent folder UIDs in paths instead of treating them as literal names.
    • Fixed non-owners being able to attach PAM rotation scripts; uploads are now flagged with is_script for server-side owner enforcement.
    • Fixed OS type detection by lowercasing the value before comparing against "windows".
    • Fixed mc_transfer_perform to respect the treeKeyTypeId property.
    Original source
  • Jun 30, 2026
    • Date parsed from source:
      Jun 30, 2026
    • First seen by Releasebot:
      Jul 1, 2026
    Keeper logo

    Keeper

    Bridge Version 17.0.2

    Keeper releases a security update for Keeper Bridge that hardens the local service, fixes an unauthenticated WCF vulnerability, restricts inter-process communication to localhost, and tightens file system permissions on sensitive data.

    This is a security update for the Keeper Bridge which hardens the local service. We recommend all customers upgrade to the latest version.

    Security Updates

    • EB-488: Fixed unauthenticated WCF service vulnerability. Inter-process communication now uses Named Pipes, restricting access to localhost only.
    • EB-483: Hardened file system permissions on the Bridge data directory to prevent unauthorized access to sensitive database files by non-admin users.

    Updating

    After successful installation/upgrade of the Keeper Bridge, the server must be rebooted once before running Register.

    Resources

    Keeper Bridge guide

    Original source
  • All of your release notes in one feed

    Join Releasebot and get updates from Keeper and hundreds of other software products.

    Create account
  • Jun 29, 2026
    • Date parsed from source:
      Jun 29, 2026
    • First seen by Releasebot:
      Jul 4, 2026
    Keeper logo

    Keeper

    KeeperDB 2.2.0

    Keeper releases KeeperDB 2.2.0 with easier Oracle connections, bundled Oracle Instant Client on desktop, better file exports through Keeper Gateway, and updates for SQL Server, MySQL, and the editor. It also adds macOS universal support and longer query timeouts.

    KeeperDB is a fast, secure, cross-platform database management tool. Use it inside KeeperPAM connections or as a standalone desktop app on Windows, macOS, and Linux.

    Query, explore, and operate PostgreSQL, MySQL, SQLite, Microsoft SQL Server, Oracle, and Amazon Redshift from one interface.

    KeeperDB is built for engineers and data scientists. It replaces legacy tools like DBeaver, MySQL Workbench, and pgAdmin. In KeeperPAM, it brings core database workflows into a fully managed passwordless experience.

    Quick Links

    Product Documentation | Download Now

    What's New in 2.2.0

    KeeperDB 2.2.0 makes Oracle databases easier to connect to, resolves file exports issues when working through Keeper Gateway, and fixes a range of bugs and improvements across SQL Server, MySQL, and the desktop app.

    Oracle connections work out of the box on desktop

    The desktop apps (macOS, Windows, Linux) now ship with Oracle Instant Client bundled. Oracle connections no longer require a separate Instant Client installation — open KeeperDB and connect directly. If you have an existing Oracle client installed, KeeperDB will still use it; the bundled client is a fallback.

    Support for Keeper Vault's new Shared Folder system

    KeeperDB storage backed by Keeper Vault now supports the updated Nested Shared Folder architecture.

    macOS Universal binary (Intel + Apple Silicon)

    The macOS DMG now contains a single universal binary that runs natively on both Intel and Apple Silicon Macs.

    Gateway / RBI Improvements

    File exports and downloads now work reliably through the Keeper Gateway PAM connections.

    SQL Server

    KeeperDB now supports Azure Managed Instances.

    SQL Server connections via Amazon RDS now negotiate TLS correctly. The "database" field is now optional on the connect form.

    On desktop, SQL Server credentials imported from Keeper Vault were not being matched against the Saved Connections sidebar. This is fixed.

    MySQL / MariaDB

    Hash (#) comments are now supported. MySQL and MariaDB permit # as a single-line comment.

    TINYINT columns display as integers, not booleans

    TINYINT and BOOLEAN columns previously rendered as tr1/0, which matches the actual wire value and avoids confusion when the column is used as a small integer rather than a flag.

    Editor and Query

    Running selected areas of the editor skips commented-out SQL

    When running a selection that contains lines toggled off with -- comments, those lines are now excluded from execution.

    Multi-statement result blocks are correctly sized. Result blocks for queries with multiple statements are now sized to fit their content instead of overflowing or collapsing.

    Query timeout extended to 3600 seconds. The maximum configurable query timeout is now 1 hour for long-running analytical queries.

    Resources

    KeeperDB Documentation

    KeeperDB Proxy Documentation

    KeeperDB Feature Page

    KeeperAI Documentation

    KeeperPAM

    Roadmap

    We publish bi-weekly updates based on customer feedback. Send feature requests and bug reports to [email protected], or post on our Reddit community page.

    Original source
  • Jun 24, 2026
    • Date parsed from source:
      Jun 24, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Keeper logo

    Keeper

    Vault Release 18.4.0

    Keeper adds Privileged Cloud for just-in-time, identity-based access across cloud platforms and directory services, automatically granting and revoking temporary elevation with full auditability. The update also includes CNAPP improvements, bug fixes, and desktop and vault updates.

    Keeper Privileged Cloud — Just-In-Time Access for the Modern Enterprise

    Keeper Privileged Cloud delivers identity-based, just-in-time (JIT) access across cloud platforms and directory services. By granting temporary elevated access only when needed — and revoking it automatically when the session ends — Keeper Privileged Cloud eliminates standing privilege risk while keeping your workforce productive and your security posture strong.

    Access is enforced directly at the identity layer by temporarily modifying role assignments, group memberships, or entitlements within your existing identity provider — whether that's through SSO, federated applications, or role-based access controls. No manual cleanup, no forgotten permissions, and a full audit trail every step of the way.

    Key Benefits

    • Eliminates standing access risk with automatic, time-bound privilege grants
    • Identity-native enforcement through your existing SSO, group, and RBAC policies
    • Full auditability with complete logs of every access grant and revocation events

    When to Use Privileged Cloud

    Privileged Cloud is the right fit when:

    • Access is granted through an identity provider, directory group, or cloud role
    • Users sign in through SSO or a federated login flow
    • You want temporary entitlements instead of shared privileged accounts
    • Access must be approved, time-bound, and fully auditable

    Prerequisites

    Privileged Cloud extends KeeperPAM's Just-In-Time Access (JIT) framework. Before configuring, confirm the following are in place:

    • A Keeper Secrets Manager application is configured and operational
    • A KeeperPAM Gateway is deployed and can reach the identity provider APIs
    • Workflow is enabled for approval and time-bound access
    • A PAM Configuration exists for a supported identity platform
    • The target user exists in both Keeper and the identity source
    • The target group, role, or entitlement already exists in the identity platform
    • The target cloud account, tenant, or application already trusts that identity platform
    • The Gateway has outbound network access, DNS resolution, and HTTPS connectivity to the required endpoints

    If you use federated access, confirm the trust relationship between the target platform and the external identity provider is working before enabling Privileged Cloud.

    Identity Modes

    Privileged Cloud supports two identity modes. When a request is submitted, KeeperPAM applies the elevation through one of the following paths:

    Direct identity mode — KeeperPAM communicates directly with the identity system defined in the PAM Configuration. Use this when the target platform manages its own identities and roles.

    Federated identity mode — KeeperPAM routes the request through a separate identity provider configuration. Use this when the target platform relies on an external IdP for authentication or entitlement mapping. To enable, turn on Federated Identity in the PAM Configuration and select the separate PAM Configuration that points to the external IdP. KeeperPAM applies the temporary identity change in the federated directory, then lets the target platform evaluate that change through its normal SSO or federation path.

    For a full list of supported platforms, see Supported Identity Platforms.

    Visit the Keeper Privilege Cloud docs to learn more.

    Improvements

    • VAUL-9031: Add zero-state screen for CNAPP Cloud Security
    • VAUL-9034: Enhance Manage Access and Enable JIT from Remediate Action modal
    • VAUL-9072: Add new CNAPP Remediation Action — Remove Standing Privilege
    • VAUL-7557: Audit dependencies
    • VAUL-9035: Update wording on CNAPP modals for "Enable JIT" and "Manage Access"
    • VAUL-9047: Update record/folder selected state in dark mode
    • VAUL-9081: Fix CNAPP fields showing on both "General" and "Features" tabs
    • VAUL-9089: Resolve vault SBOM vulnerabilities
    • KDE-2119: Allow folder names to span 2 lines of text
    • KDE-2137: Resolve desktop SBOM vulnerabilities

    Bug Fixes

    • VAUL-8831: Permission error message when clicking Share button on non-KD account
    • VAUL-8869: Sharee with "Can Manage Records" in classic SF missing disabled fields for KD account
    • VAUL-8870: Sharee with "Can Manage Users" in classic SF missing disabled fields for KD account
    • VAUL-8893: Error message when clicking Share in record options menu on non-KD account
    • VAUL-9007: CNAPP issue stays in "Requires Attention" when rotation fails without resolution submission
    • VAUL-9025: Cloud Security titles, tags, and severity not translated
    • VAUL-9033: Japanese translation misses
    • VAUL-9053: Team Name and View Team link on same line; missing space beneath My Folders label
    • VAUL-9060: PAM rotating SSH Admin with private key failing
    • VAUL-9062: Add missing restricted-to-share message in KD GRE
    • VAUL-9076: Fix zero state for Cloud Security
    • KDE-2088: LastPass Shared Folders fail to import via Automated Import
    • KDE-2123: Linux Fedora checksum errors when updating to 18.2.1
    • KDE-2134: Microsoft Defender ASR blocking bootstrap executable from Microsoft Store install path

    Web Vault Update Instructions

    To ensure you're using the latest Web Vault, simply reload the vault login page (or Shift+Ctrl/Cmd+R to force refresh)

    Desktop Update Instructions

    If you installed Keeper Desktop directly from the Keeper website, download the latest version from: https://www.keepersecurity.com/download.html?t=d

    If you installed Keeper Desktop from the Mac App Store or Microsoft Store, visit the store to perform the update.

    Original source
  • June 2026
    • No date parsed from source.
    • First seen by Releasebot:
      Jun 24, 2026
    Keeper logo

    Keeper

    Python SDK 1.2.0

    Keeper releases Python SDK 1.2.0.

    Python SDK 1.2.0

    Original source
  • Similar to Keeper with recent updates:

  • Jun 23, 2026
    • Date parsed from source:
      Jun 23, 2026
    • First seen by Releasebot:
      Jul 4, 2026
    Keeper logo

    Keeper

    Commander 18.0.9

    Keeper adds new KeeperAI PAM connection settings, an online filter for PAM gateways, managed company transfers for MSPs, and selective Thycotic imports. It also expands KCM export handling, tightens NSF sharing controls, and fixes security and rotation issues.

    New Features

    KeeperAI PAM Connection Settings

    pam connection ai

    New command to manage KeeperAI settings on PAM resources and remote browser instances. Supports show, set, unset, and remove operations for AI configuration on PAM connections.

    PAM Gateway Online Filter

    The command

    pam gateway list

    now accepts

    --online (-o)

    to filter results to only online gateways, along with gateway totals in the output.

    Enterprise MSP Transfer

    Added support for transferring a managed company to another MSP. The backend will be live next week in production to support this command.

    Thycotic Import: Selective Secret IDs

    import --format thycotic

    now accepts

    --secret-ids

    (comma-separated) to import or inspect specific secrets by ID — useful for debugging cases where the Thycotic lookup API omits secrets due to security policies.

    KCM: Port Mapping Defaults and Empty User Handling

    KCM export now supports connections with empty user or port fields: missing ports fall back to protocol defaults (configurable via KCM_mappings.json), connections missing a user are logged for follow-up, and allow-file-uploads is available for RBI connections.

    Bug Fixes

    Fixed a SQL injection vulnerability in legacy Commander MSSQL password rotation and added input validation to reject unsafe --password values.

    Fixed an issue where

    pam rotation edit

    did not correctly apply SaaS profiles.

    Fixed the permission-check rotation request for IAM user links — configurationUid, matching revision, and an explicit empty resourceUid are now sent to correctly handle IAM rotation semantics.

    NSF Share Expiration and Folder Labels

    Fixed expiration updates for

    nsf-share-folder

    and

    nsf-share-record

    Enforced a one-minute minimum on NSF and classic share expiration

    Standardized list/search record_category output to lowercase (classic/nested)

    Renamed Supershell Drive folder labels to Nested Shared Folder (Shared) and Nested Shared Folder (NonShared)

    Nested Shared Folder - Record Add/Update Policy Enforcement

    The

    nsf-record-add

    and

    nsf-record-update

    commands now enforce GENERATED_PASSWORD_COMPLEXITY and RESTRICT_RECORD_TYPES enterprise policies.

    Original source
  • Jun 23, 2026
    • Date parsed from source:
      Jun 23, 2026
    • First seen by Releasebot:
      Jun 24, 2026
    Keeper logo

    Keeper

    Admin Console 17.10.0

    Keeper releases Admin Console 17.10.0 with KEPM Agentic AI Governance, extending privilege management to AI agent identities. It adds a redesigned KEPM dashboard, dedicated Agentic AI collections, AI tags in application views, and an improved policy creation flow.

    KEPM Agentic AI Governance - Admin Console Support

    Admin Console version 17.10.0 introduces KEPM Agentic AI Governance v1, a major update to Keeper Endpoint Privilege Manager that extends privilege management to AI agent identities. This release delivers a redesigned KEPM dashboard, a new dedicated Agentic AI collection type, Agentic AI tagging within Application collections, and an enhanced policy creation experience.

    To learn more about Keeper Endpoint Privilege Manager click here.

    Keeper Endpoint Privilege Manager now supports governance of Agentic AI identities alongside traditional human and machine accounts. Administrators can define, manage, and apply privilege policies to AI agents directly from the Admin Console, with full visibility into AI agent risk scores, policy enforcement status, and activity.

    • New AI dashboard — real-time overview of open requests, high-risk events, registered endpoints, high-risk AI identities, over-privileged agents, and policy activity
    • Agentic AI collections — a dedicated collection type for grouping and governing AI agent identities, separate from standard user accounts
    • Agentic AI tags in application collections — AI-driven applications are now tagged with an Agentic AI pill within the existing Applications collection view
    • Updated policy creation — redesigned policy screen with enhanced required access control options
    Original source
  • Jun 23, 2026
    • Date parsed from source:
      Jun 23, 2026
    • First seen by Releasebot:
      Jun 24, 2026
    Keeper logo

    Keeper

    Keeper Gateway 1.8.4

    Keeper improves PAM and gateway capabilities with IdP configuration linking, Azure force provision user properties, IdP authentication for PAM machines and databases, validation for Active Directory privilege elevation, plaintext secrets support, and fixes for JIT, DB Proxy, and KeeperDB issues.

    Improvements

    DR-1208: Implement IdP configuration linking in PAM Configurations
    DR-1214: Azure force provision user properties (group / role)
    DR-1253: Support for IdP authentication with PAM machines and PAM databases
    DR-1250: Support linking identity provider PAM configuration to another PAM Configuration
    DR-1249: Validation for privilege elevation on Active Directory
    DR-1277: USS: Support option for plaintext secrets
    DR-1283: Improvements to Services and Scheduled Tasks

    Bug Fixes

    PG-235: Resolved issue where gateway lacked configuration validation for excessive JIT login delay
    PG-308: Resolved issue where DB Proxy session recordings don't work with sourcing files
    PG-314: Resolved issue where KeeperDB proxy MySQL query logs empty/unreadable with JDBC clients (e.g. DBeaver)
    PG-345: Resolved issue where JIT elevation times out on large AD environments due to full group enumeration
    PG-351: Resolved issue where launching KeeperDB ignores the credential selected from the launch dropdown

    Update Instructions

    Please visit the Keeper Gateway documentation for your specific platform:

    Original source
  • Jun 23, 2026
    • Date parsed from source:
      Jun 23, 2026
    • First seen by Releasebot:
      Jun 23, 2026
    Keeper logo

    Keeper

    Browser Extension Version 18.0.0

    Keeper releases Browser Extension support for Nested Shared Folders with role-based permissions and BreachWatch, while also delivering performance improvements and bug fixes for a smoother, more scalable vault experience.

    Keeper Browser Extension version 18.0.0 introduces support for Nested Shared Folders and BreachWatch along with various performance improvements and bug fixes.

    Nested Shared Folders With Role-Based Folder Permissions

    Keeper is redefining how users and teams organize, share and protect their most sensitive records. With the introduction of Nested Shared Folders with Role-Based Folder Permissions, we’ve rebuilt the vault’s folder, sharing and permissions model from the ground up, delivering a more flexible and scalable experience for every user and team.

    Role-Based Folder Permissions give administrators granular control over exactly who can view, edit, share and manage content at every level of the folder hierarchy — whether you're an individual user, managing a small team, or operating across a global enterprise.

    During this transition, the new Nested Shared Subfolder system will exist alongside the existing Classic folder system and permission model, with two distinct folder icons to help users easily differentiate between them.

    This feature is currently available by invitation only. To learn more and request access, please see our end-user guide, contact your Keeper representative or visit keepersecurity.com/contact.

    User Experience

    Within the browser extension, users can now add new and existing records to any newly created folders within the Nested Shared Folders system and all associated permissions will apply consistently across clients.

    Classic and Nested Shared folders are easily distinguished by two distinct folder icons — Nested Folders display as solid in color, while Classic folders appear with a transparent icon.

    Improvements

    • BE-7072: Performance improvements for vaults that have hundreds of entries mapped to the same domain.
    • BE-7447: Added support for BreachWatch in the Keeper Browser Extension. BreachWatch is a powerful, secure add-on that monitors the internet and dark web for breached accounts matching your Keeper Vault records, alerting you to take immediate action, including changing your password at the affected website to protect yourself against hackers.

    Bug Fixes

    • BE-7685: Newly shared records do not always appear while user is actively logged into the extension.
    • BE-7659: Form filler iframe popup is not clickable when login modal opened.
    • BE-7655: Device Approval screen fails to load if SSO account requires device approval.
    • BE-7644: When user has multiple records for same URL, clicking "Launch" from URL field on detailed view on record B fills credentials from record A if A has Autofill ON.
    • BE-7466: When user has multiple records for same URL, clicking "Launch" from detailed view on record B fills credentials from record A if A has Autofill ON.
    • BE-7611: Click-and-drag to secondary monitor causes popups to flicker or disappear (Firefox).
    • BE-7578: Master password reveal then left click behavior in Windows is non-standard (single vs double click).
    • BE-7479: Manual Sync fails to update role enforcement policy changes.
    Original source
  • Jun 19, 2026
    • Date parsed from source:
      Jun 19, 2026
    • First seen by Releasebot:
      Jun 23, 2026
    Keeper logo

    Keeper

    Vault Release 18.3.0

    Keeper improves Web Vault, Desktop, and Secrets Manager with better linked-service handling after password rotation, new CNAPP remediation controls, nested shared folder move and trash restore, cleaner folder display, and multiple bug fixes across KeeperDrive, biometrics, search, and syncing.

    Improvements

    VAUL-7523: Several front-end enhancements to improve the user experience around managing linked services after a password rotation occurs.
    Visit the Windows Services and Scheduled Tasks docs to learn more.

    VAUL-8883: Enhanced the front-end UI to directly configure JIT access from the CNAPP Remediate Action modal screen.
    Visit the Cloud Security docs to learn more about CNAPP integrations

    VAUL-8944: Added ability to configure Manage Access from the CNAPP Remediate Action modal screen.

    VAUL-9005: Implemented trashcan sync and restore for Nested Shared Folders and records.

    VAUL-9003: Implemented move command for Nested Shared Folders and records.

    VAUL-9002: Implemented "Deny" option on inherited folder access in Nested Shared Folders.

    VAUL-9016: Folder names now display up to two lines of text before truncating, to acommodate for very long folder names.

    VAUL-9044: Long folder names are now properly truncated in Create New Record, Legacy Folder Detail, and KSM Detail views.

    VAUL-9015: Added Applications tab to nested shared subfolders in the Secrets Manager UI.

    VAUL-8905: Refactored and consolidated legacy and new record permissions (Phase I).

    VAUL-8381: Users can now select existing shared folders when creating a gateway during onboarding.

    Bugs

    VAUL-8963: Fixed an issue where user supplied credentials were not sent correctly for RBI sessions.

    VAUL-9054: Fixed an issue where non-KeeperDrive enterprise vaults were using KeeperDrive record-create commands, causing records to vanish.

    VAUL-9055: Fixed an issue where KeeperDrive folders could not be shared to teams.

    VAUL-8701: Fixed an unexpected EncryptedDataKeyType.NO_KEY error when logging in with biometrics on a different browser.

    VAUL-8972: Fixed an issue where discovery rules were not always saved in the web vault.

    VAUL-8998: Fixed missing "Risk Type" information on the CNAPP Vulnerability Details screen.

    VAUL-9023: Fixed CNAPP Cloud Security filter counts not updating correctly when filter options are changed.

    VAUL-9039: Fixed a broken link in the "Enable JIT flow for CNAPP" remediation.

    VAUL-9032: Fixed incorrect label styling in Rotation Settings.

    VAUL-8371: Fixed an issue where the PAM graph did not always sync for resources and users without configuration access.

    VAUL-8908: Fixed the share dialog title not truncating with an ellipsis for long names.

    VAUL-8897: Fixed search returning no results when searching by KeeperDrive folder name or UID.

    VAUL-8824: Fixed several design mismatches when editing a folder name in KeeperDrive.

    VAUL-8691: Fixed an issue where creating a new shared subfolder in a large vault did not auto-focus on the newly created folder.

    VAUL-8807: Fixed missing error message when attempting to add an existing KeeperDrive record to a KeeperDrive folder.

    Web Vault Update Instructions

    To ensure you're using the latest Web Vault, simply reload the vault login page (or Shift+Ctrl/Cmd+R to force refresh)

    Desktop Update Instructions

    If you installed Keeper Desktop directly from the Keeper website, download the latest version from:
    https://www.keepersecurity.com/download.html?t=d

    If you installed Keeper Desktop from the Mac App Store or Microsoft Store, visit the store to perform the update.

    Original source
  • Jun 19, 2026
    • Date parsed from source:
      Jun 19, 2026
    • First seen by Releasebot:
      Jun 19, 2026
    Keeper logo

    Keeper

    Keeper Security Workflow

    Keeper expands its ServiceNow Workflow app with secure just-in-time access to secrets, credentials, and systems, adding Endpoint Privilege Manager approvals, access requests for records and folders, and vault storage. It also supports nested subfolder permissions, password rotate on expire, and richer search details.

    The Keeper Security Workflow app allows organizations to manage privileged access directly within ServiceNow, enabling users to request and approve access to secrets, credentials, and systems. This integration provides just-in-time (JIT) access without standing privileges, supporting secure workflows.

    Key features

    • Endpoint Privilege Manager Approvals
    • Request Access To Record/ Folder
    • Store Records To Keeper Vault

    Release notes

    • Support for Nested Sub Folder permission types
    • Support for password rotate on expire for PAM record types
    • Detailed record description and type in search modal

    Requirements

    • Service Catalog Platform
    • Keeper Security ITSM Application (Optional)
    Original source
  • Jun 18, 2026
    • Date parsed from source:
      Jun 18, 2026
    • First seen by Releasebot:
      Jun 24, 2026
    Keeper logo

    Keeper

    Keeper Gateway 1.8.3

    Keeper Gateway 1.8.3 improves scheduled services discovery, Universal Secret Sync tag writing, and fixes RBI session rejections.

    Gateway 1.8.3 delivers Scheduled and Services improvements, Universal Secret Sync tag-writing enhancements, and a fix for Remote Browser Isolation session rejections.

    Improvements

    DR-1204: Scheduled and Services discovery and rotation propagation improvements

    DR-1275: Universal Secret Sync - Write title and keeperRecordType attributes to resource tags instead of secret attributes

    Bug Fixes

    PG-332: Resolved issue where RBI userSupplied sessions rejected due to wrong settings key lookup

    Update Instructions

    Please visit the Keeper Gateway documentation for your specific platform:

    Original source
  • Jun 18, 2026
    • Date parsed from source:
      Jun 18, 2026
    • First seen by Releasebot:
      Jun 18, 2026
    Keeper logo

    Keeper

    Backend API 18.1.3

    Keeper adds Nested Shared Folder folder moves, trashcan restore to a chosen target folder, stronger enterprise enforcement policies, richer compliance reporting, record sharing notifications, and audit logging for folder reparenting, plus sync, deletion, and access control fixes.

    New Features

    • Folder Move (Reparenting): Users can now move folders between locations in their vault, allowing easy reorganization of folder hierarchies within Nested Shared Folders.
    • Trashcan Restore: Records and folders sent to the trashcan can now be restored to a specified target folder, with per-item status reporting and full sync support.
    • Enterprise Enforcement Policies for Shared Folders: Administrators can now enforce policies that restrict creating records outside shared folders, restrict creating shared folders, restrict removing records from shared folders, and restrict deleting shared folders — all applied consistently across folder and record operations including moves.
    • Compliance Reporting for Nested Shared Folder: Compliance reports now distinguish between Drive and legacy records, and include the full Nested Shared Folder permission model in the response payload.
    • Record Sharing Notifications: Users now receive notifications when a record is shared with them or when record ownership is transferred.
    • Folder Move Audit Logging: Folder reparenting operations are now captured in the audit log for enterprise visibility.

    Improvements

    KA-8646: Improved the compliance reporting query engine to use parameterized queries instead of dynamic query construction. This improves query plan caching and aligns with best practices for database query handling.

    KA-8144: Implemented trashcan restore functionality, allowing users to recover deleted records and folders to a specified target folder.

    KA-8183: Reduced excessive logging noise caused by repeated warnings during sync operations. Lowered the log severity and removed obsolete registry entries that were flooding operational logs.

    KA-8483: Added user notifications when a record is shared with them in a Nested Shared Folder context. Affected users and team members now receive a sharing notification.

    KA-8495: Enforced the enterprise policy that restricts record removal from Nested Shared Folders on the folder record-removal operation. Enterprise users subject to this restriction now receive a clear per-item error, while records in personal folders remain unaffected.

    KA-8496: Enforced the enterprise policy that restricts Nested Shared Folder deletion on the folder removal operation. Enterprise users subject to this restriction now receive a per-folder error, while non-shared folders remain unaffected.

    KA-8534: Added user notifications when record ownership is transferred in a Nested Shared Folder context. The receiving user now receives a transfer notification.

    KA-8569: Fixed the enforcement that restricts record creation to Nested Shared Folders only. Previously the logic was inverted, blocking record creation inside shared folders instead of outside them. Records created without a folder assignment are now also correctly evaluated.

    KA-8570: Enforced the enterprise policy that restricts record removal from Nested Shared Folders on the record move operation. Moving a record out of a shared folder is now correctly blocked when this enterprise policy is active.

    KA-8571: Enforced the enterprise policy that restricts shared folder deletion on the folder move operation. Moving a Nested Shared Folders or its subfolders is now blocked when this enterprise policy is active, preventing structural changes that are equivalent to deletion.

    KA-8572: Enforced the enterprise policy that restricts folder creation to shared folder locations only. Users subject to this policy can no longer create folders in personal locations through the new folder operations.

    KA-8573: Enforced the enterprise policy that restricts the creation of new Nested Shared Folders. Sharing a previously unshared folder is now blocked when this policy is active, preventing users from working around the restriction.

    KA-8580: Added audit logging for folder move (reparenting) operations. Nested Shared Folder moves are now recorded in the enterprise audit trail for compliance and tracking purposes.

    KA-8619: Enhanced compliance reports to distinguish between Nested Shared Folders and legacy records, and to include the full Nested Shared Folder permission model. Clients can now identify record types and render the richer Shared Nested Folder permission set (edit, share, denied, access type, ownership) alongside the existing permission data.

    KA-8624: Enforced the enterprise policy that restricts Nested Shared Folder creation on the folder move operation. Moving a folder under a shared parent with permission inheritance enabled is now blocked when this policy is active.

    KA-8714: Fixed trashcan to correctly return removed trashcan records after a restore operation. Restored items now properly appear in the removal list during the next trashcan sync.

    KA-8778: Improved full sync to exclude access metadata and record metadata for records that have been moved to the folder trashcan.

    KA-8817: Investigated and fixed the handling of record-level access additions when access already exists. This resolves edge cases surfaced during denial add/removal operations where duplicate access entries could cause unexpected behavior.

    KA-8861: Upgraded a core networking dependency to address published CVEs as part of our standard update process. This is a security-only upgrade with no functional changes.

    KA-8068: Users can now move folders from one location to another within their Nested Shared Folder vault. This enables easy reorganization of vault folder structures by reparenting folders and their contents to new destinations.

    Bugs

    KA-8505: Fixed an issue where creating a folder without explicitly specifying the folder type would be incorrectly rejected. The system now correctly defaults to a normal folder when the type is not specified.

    KA-8521: Fixed an issue where a classic shared folder record could be incorrectly added to a Nested Shared Folder during a record update. The system now validates record compatibility and blocks cross-model placement.

    KA-8522: Fixed a permissions issue where users with content and share manager access could incorrectly delete records. Content and share manager permissions no longer grant deletion rights.

    KA-8525: Fixed an issue where shared folder users were not receiving real-time push notifications after the record owner deleted a record. Clients now receive a push signal so they can immediately reflect the deletion.

    KA-8527: Fixed an issue where the record expiration setting could not be reset after the expiration duration was changed. Users can now correctly clear or modify the expiration setting on Nested Shared Folder records.

    KA-8533: Fixed intermittent errors on folder operations caused by concurrent access. The system now gracefully handles contention and returns an appropriate retryable error.

    KA-8542: Fixed an issue where security score data was empty for Nested Shared Folder records. Security scores are now correctly populated for Nested Shared Folder records.

    KA-8567: Fixed an issue where full sync returned orphaned data, event history, and stale removal signals for records and folders that no longer exist. Full sync now only includes data for active, accessible items.

    KA-8568: Fixed an issue where retrying a failed file upload returned an error instead of providing a new upload link. File upload retries now correctly return a fresh upload link.

    KA-8576: Fixed a session security issue where a record deletion confirmation could be accepted from a rotated session token. Confirmation tokens are now validated against the originating session for consistency.

    KA-8586: Fixed a server error during sync that could occur when a user's vault entered an unrecoverable state. The sync engine now handles this edge case gracefully instead of returning an internal error.

    KA-8587: Fixed an issue where BreachWatch security data was not cleared after a Nested Shared Folder record was deleted. Deleting a record now properly removes associated BreachWatch data.

    KA-8614: Fixed an issue where removing a Nested Shared Folder to the trashcan was not reflected in the subsequent trashcan sync. Trashed folders now correctly appear in the trashcan sync response.

    KA-8615: Fixed an issue where PAM configuration records could not be created as Nested Shared Folder records. PAM configuration record creation now works correctly in Nested Shared Folder-enabled environments.

    KA-8618: Fixed an issue where partial sync was incorrectly demoted to a full sync for users who only had folders and no records. Partial sync now works correctly for folder-only users, ensuring they receive proper removal signals.

    KA-8623: Fixed an issue where transferring record ownership returned both a classic and a Nested Shared Folder record entry in the sync response for the new owner. Ownership transfers now produce a single, correct record entry.

    KA-8640: Fixed an issue where permanently deleting a folder did not cascade to its subfolders and grandchild items. Permanent folder deletion now correctly removes the entire folder tree.

    KA-8651: Fixed a data type mapping error in the Nested Shared Folder access denial filtering logic. This prevents potential incorrect behavior in future access-denial processing.

    KA-8666: Fixed an issue where setting a non-standard folder usage type on a Nested Shared Folder update was silently accepted but not applied. Invalid folder usage type values are now properly validated and rejected.

    KA-8669: Fixed server errors and deadlocks when creating Nested Shared Folders under high concurrency for the same user. The system now handles concurrent folder creation requests gracefully.

    KA-8678: Fixed an error response where an invalid permission inheritance value returned a server error instead of a proper validation error. Invalid input is now correctly reported as a bad request.

    KA-8680: Fixed an error where an oversized folder identifier returned a server error instead of a proper validation error. Invalid input is now correctly reported as a bad request.

    KA-8709: Fixed an intermittent issue where re-sharing a Nested Shared Folder tree could lose child records created by team users after the owner's access was revoked and re-shared. Records created by team members are now properly retained through share revoke/re-share cycles.

    KA-8754: Fixed an improper access control vulnerability in Nested Shared Folder. Access control checks now correctly enforce permissions for the affected operation.

    KA-8783: Fixed an issue where trashing or permanently deleting a Nested Shared Folder left orphaned access and sharing state data. Folder trash and empty-trash operations now fully clean up all associated access data.

    KA-8784: Fixed an issue where moving a record to the trashcan incorrectly removed its access data, which is needed for future restoration. Record access data is now preserved when records are trashed, ensuring correct restore behavior.

    KA-8791: Fixed an issue where Nested Shared Folder records could not be moved to the vault root. Nested Shared Folder records can now be successfully moved to the top-level vault location.

    KA-8806: Fixed an issue where BreachWatch security data clearance after record deletion was not communicated to Nested Shared Folder clients. Clients now receive the proper signal to clear BreachWatch data upon record deletion.

    KA-8809: Fixed an issue where Nested Shared Folder records could not be moved out of the vault root to a folder. Records at the vault root can now be moved into Nested Shared Folders.

    KA-8834: Fixed a permissions issue where share admin users could not move records in certain scenarios. Share admin elevation is now correctly applied during record move permission checks.

    KA-8835: Fixed an issue where restoring a trashed item to the vault root was rejected because an empty target folder was not accepted. Trashcan restore now correctly handles restoration to the vault root.

    KA-8846: Fixed a server error that occurred during time-limited access expiration when the associated user account could no longer be resolved. The system now gracefully handles this edge case and continues processing the expiration.

    KA-8853: Fixed a race condition where enterprise policy enforcement for Nested Shared Folder restrictions could incorrectly block record creation immediately after a folder was shared. The system now reads the latest sharing state to avoid false policy violations.

    KA-8855: Fixed an issue where the contents of trashed folders could not be decrypted because the necessary encryption keys were not included in the sync response. Trashcan sync now includes the required keys to allow clients to display trashed folder contents.

    KA-8860: Fixed an issue where moving a folder left stale parent references, causing the moved folder and its contents to appear under the old location or disappear entirely during a full sync. Nested Shared Folder moves now correctly update all parent references in the sync data.

    Original source
  • Jun 17, 2026
    • Date parsed from source:
      Jun 17, 2026
    • First seen by Releasebot:
      Jun 19, 2026
    Keeper logo

    Keeper

    Keeper Privileged Cloud

    Keeper introduces Privileged Cloud for identity-based just-in-time access across cloud and directory platforms, bringing time-bound privilege elevation through approved group, role, or entitlement changes with automatic revocation when access expires.

    Keeper Privileged Cloud

    Keeper Privileged Cloud provides identity-based just-in-time access across cloud and directory platforms.
    It grants temporary elevated access by changing identity-layer membership or role assignment for an approved user.
    Use this model when access is controlled by an identity provider, SSO flow, federated application, group membership, or role-based access control.

    Understanding JIT and ZSP

    Just-In-Time (JIT) Access: Provides users with privileged access only at the moment they need it, for a limited time period, and often with approval workflows.

    Zero Standing Privilege (ZSP): A security approach where users have no permanent privileged access to systems, eliminating the risk associated with compromised privileged accounts.

    In Privileged Cloud, JIT access is typically delivered through temporary group membership, role assignment, or entitlement grant in the identity provider.

    Supported Identity Platforms

    Keeper Privileged Cloud supports JIT privilege elevation on the following identity platforms:

    • AWS IAM
    • Microsoft Entra ID
    • GCP through Google identity
    • Okta
    • Active Directory

    Any cloud platform or SaaS application that uses one of these identity platforms for authentication or authorization can use Privileged Cloud.

    Supported Record Types

    Privileged Cloud supports JIT privilege elevation through the following record types:

    • PAM Cloud record
    • PAM Machine
    • PAM Database

    What this model changes

    Privileged Cloud changes access in the identity layer.
    It does not rely on standing admin credentials shared with end users.

    Depending on the target platform, KeeperPAM can:

    • Add the user to a mapped group
    • Assign a temporary role or entitlement
    • Remove that membership or assignment automatically when access expires

    The target cloud console, application, CLI, or SDK then evaluates that identity change through its normal SSO or authorization flow.

    When to use Privileged Cloud

    Use Privileged Cloud when:

    • Access is granted through an identity provider, directory group, or cloud role
    • Users sign in through SSO or a federated login flow
    • You want temporary entitlements instead of shared privileged accounts
    • Access must be approved, time-bound, and fully auditable

    Prerequisites

    Privileged Cloud extends KeeperPAM's Just-In-Time Access (JIT) framework.

    Before configuring Privileged Cloud, ensure the following prerequisites are met:

    • A Keeper Secrets Manager application is configured and operational
    • A KeeperPAM Gateway is deployed and can reach the identity provider APIs
    • Workflow is enabled for approval and time-bound access
    • A PAM Configuration exists for a supported identity platform

    What must already exist

    Before rollout, confirm the following objects already exist in your environment:

    • The target user exists in both Keeper and the identity source
    • The target group, role, or entitlement already exists in the identity platform
    • The target cloud account, tenant, or application already trusts that identity platform
    • The Gateway has outbound network access, DNS resolution, and HTTPS connectivity to the required endpoints

    If you use federated access, confirm the trust relationship between the target platform and the external identity provider is already working before enabling Privileged Cloud.

    Installing the Keeper Gateway

    The KeeperPAM Gateway runs inside your managed network and executes the identity-side changes required for JIT elevation.

    Deploy the Gateway on Docker, Linux, or Windows in each network segment that must reach the target identity platform or managed resource.

    Identity modes

    Privileged Cloud supports two identity modes.

    When a request is submitted, KeeperPAM applies the elevation through one of the following paths:

    • Direct identity mode — KeeperPAM communicates directly with the identity system defined in the PAM Configuration. Use this when the target platform manages its own identities and roles.
    • Federated identity mode — KeeperPAM routes the request through a separate identity provider configuration. Use this when the target platform relies on an external IdP for authentication or entitlement mapping.

    In federated identity mode, enable Federated Identity on the PAM Configuration and select the separate PAM Configuration that points to the external IdP.

    This allows KeeperPAM to apply the temporary identity change in the federated directory, then let the target platform evaluate that change through its normal SSO or federation path.

    What actually happens

    • An admin configures JIT and Workflow on a PAM resource.
    • The record is shared with eligible users.
    • A user selects Request Access.
    • An approver reviews the request.
    • After approval, KeeperPAM adds temporary membership or role assignment in the identity platform.
    • The user launches the target console, application, or workflow during the approved window.
    • When the window ends, KeeperPAM removes the temporary access automatically.

    PAM Cloud record

    The PAM Cloud record is used when access to a cloud account, tenant, console, or federated application is controlled through a supported identity platform.

    It allows admins to map a requestable Keeper record to the correct group, role, or entitlement in that platform.

    Configure and share the PAM resource

    Before a user can receive temporary access, the record owner must configure both JIT and Workflow on the record.

    This includes the access duration, approval path, target group or role, and which users can request access.

    The owner then shares the record with eligible users so they can request elevation.

    To request access, the user must already exist in the identity platform and in the Keeper tenant.

    Once the record is shared, the user can request the temporary entitlement mapped to that record.

    Configure elevation and access

    Each PAM resource that uses Privileged Cloud must have both JIT and Workflow configured before users can request access.

    Configuring JIT Settings

    JIT settings define which group, role, or entitlement is granted when a request is approved.

    For group-based access, the configured group name must match the target group in the identity platform.

    For role-based access, the mapped role or assignment must already exist on the target platform.

    Workflow Settings

    Workflow settings define the approval and governance controls the requester must satisfy before access is granted.

    A record can enforce access duration, required approvals, justification, and ticket number collection.

    This helps align JIT elevation with IAM governance and ITSM processes.

    Accessing a Resource After Elevation

    Once access is approved, users can access the target resource through Keeper's Remote Browser Isolation (RBI) or through the organization's standard authentication workflow.

    With RBI, the user launches the protected application directly from the Keeper Vault in an isolated browser session.

    Users can also access the platform through the same SSO, console, CLI, Terraform, or SDK workflow they normally use.

    For example, AWS IAM Identity Center users can sign in through the standard AWS access portal. CLI and automation users can continue using their normal login flow if that workflow evaluates the temporary role or group assignment.

    Because KeeperPAM applies temporary elevation in the identity layer, the user can assume the approved role or receive the approved entitlement only during the approved window.

    When the access duration expires, KeeperPAM revokes that elevated access automatically.

    Access Workflow

    The following workflow applies to PAM Cloud, PAM Machine, and PAM Database records that use identity-based elevation.

    In this example, a PAM Cloud record is configured for access and shared to an end user, who then requests access.

    User Requests Access

    Once a PAM resource is shared and JIT and Workflow are configured, the user can submit an access request from the Keeper Vault or from Commander.

    In the example below, the user locates the PAM Cloud record in their Vault and clicks Request Access.

    The request is routed to the designated approver or approvers.

    Notifications are sent through the Keeper notification center.

    The requester receives an update when access is approved or denied.

    The requesting user can also check the approval status, send the approver a reminder, or cancel the request.

    Approver Reviews the Request

    Approvers receive real-time notifications across all Keeper clients, including mobile.

    The approver can review and act on the request directly from their device.

    • Approval triggers KeeperPAM to perform the configured JIT action in the target identity platform or resource
    • Denial resets the record status to Request Access, allowing the user to resubmit if needed

    Pending requests are visible to approvers in the Notifications panel (the bell icon in the upper right portion of the Keeper Vault).

    User is Granted Privileged Access

    Once the request is approved, KeeperPAM grants the configured temporary group membership, role assignment, or resource-level privilege.

    The user can now click Launch to open the target resource through the Keeper Vault.

    When the approved access duration expires, KeeperPAM automatically removes the temporary privileged access.

    In the example below, the approver has granted access to the PAM Cloud record and the user can launch a remote browser session to the AWS console with elevated permissions.

    Original source
  • Jun 17, 2026
    • Date parsed from source:
      Jun 17, 2026
    • First seen by Releasebot:
      Jun 18, 2026
    Keeper logo

    Keeper

    Secrets Manager CLI 1.4.0

    Keeper fixes binary install warnings and file paths, improves ksm secret get linked-record output, and makes platform installers more flexible with optional component selection. It also resolves a fresh-install shell crash and a broken macOS install.

    KSM-975

    Fixed the keyring warning on binary installs pointing users to pip install advice instead of the -keyring binary download; the bracketed advice also triggered zsh glob errors.

    KSM-1014

    Fixed the keyring-unavailable warning on binary installs pointing users to a non-existent -keyring binary download; the warning now directs users to re-run the installer and enable the "OS Keyring Support" component.

    KSM-980

    Fixed binary installs writing keeper.ini to the current working directory instead of the user's home directory.

    KSM-981

    ksm secret get now surfaces linked records (previously PAM credential records were invisible); linked UIDs appear in a links array in JSON output and a Links table in text output.

    KSM-1015

    Links output is now interpretable. Each link entry in JSON gains a decoded object (plain link data parsed; ai_settings / jit_settings decrypted with the record key), with raw fields preserved. The text Links table now shows Linked Record UID (self-links labeled (self)), Path, and decoded Link Data columns.

    KSM-1003

    Fixed binary installs writing ksm_cache.bin to the current working directory when caching was enabled; the cache now co-locates with keeper.ini in the home directory.

    KSM-1005

    Fixed ksm shell crashing on launch (UpdateChecker.check() takes 1 positional argument but 3 were given) on fresh installs after the update-checker 1.0.0 release.

    KSM-983

    Platform installers (macOS, Windows, Linux) now offer optional component selection at install time. OS Keyring Support and Cloud Sync can be independently enabled via checkboxes/prompts in a single installer.

    KSM-1006

    Fixed the macOS installer producing a broken install; the postinstall step now symlinks the PyInstaller onedir layout so the binary resolves its _internal directory.

    Links

    • PyPI Package
    • Docker Hub
    • GitHub Releases
    • See CLI Documentation
    Original source
Releasebot

Curated by the Releasebot team

Releasebot is an aggregator of official release notes from hundreds of software vendors and thousands of sources.

Our editorial process involves the manual review and audit of release notes procured with the help of automated systems.