Version v7.1.18 (Stable)

With KeePass Client v7.1.18

Release Date

Oct 21, 2015

These Release Notes detail the differences between this release and the last stable version (7.1.5).
For information about the "Latest" versions inbetween, see Older And Inbetween Versions.


  • Vulnerability Patch
    • Summary:
      • 1-2 pieces of specific confidential information could be made accessible to select individuals who already have significant, but not full, access to the system.
    • Requirements:
      1. Unauthorized individual (attacker) would first require access to the file system on the machine where Password Server was installed.
      2. A second individual with authorized access to a particular credential would need to insert specific, unlikely information into a particular credential entry.
    • Scope of Impact:
      • The specific entry involved in requirement #2 above would potentially be accessible to the individual in requirement #2.
      • No other entries would be revealed.
      • Entry would not be revealed to individuals who do not have file system access to the Password Server.
    • Status:
      • This vulnerability has been fixed in this release.
      • Companies will be given 1 month to deploy this patch, before more specific information regarding the vulnerability is revealed.
      • Update:
        • The vulnerability fixed in the 7.1.15 patch resulted in the ‘WebLogs.txt’ files logging sensitive information if particular values were present in the entry. To remove this information, search the files for ‘zxcvbn’ and delete the log lines. By default the WebLogs files are located in C:/ProgramData/Pleasant Solutions/Password Server.
    • Versions Affected: 7.0.4 - 7.1.13


  • When Directory users who cannot reset their password through Password Server attempt a reset, they will now receive an email explaining that they cannot (previously, they would receive nothing).
  • Directory users that have already been imported and have the Administer Users permission can now log in when Directory access has been disabled (as, for example, when running unlicensed).
  • Administrators can now control their users' ability to edit their Display Name, Email and Phone Number with User Policies (User & Roles > Manage Policies)
  • KeePass: removed the "Duplicate Group" command from menus. Previously, the command would appear to work until the next sync with the server (which would cause the apparent duplicate to disappear).
  • KeePass (Offline Mode):
    • More visible indicators for when KeePass is operating in Offline Mode.
    • Preventing operations whose changes would be lost when KeePass reconnects to the server.
    • If a user does not have "View Entry Offline" access on an entry, the entry is not downloaded when entering Offline Mode; as a result, the user is unable to see the entry at all (previously, everything but the password was visible).
    • Workflow fixes for a smoother fallback to Offline Mode in the event of an unexpected disconnect.
  • Removed some inefficiencies in the database upgrade process from version 6 to version 7.
  • History now shows Tags, Custom Fields, Attached Files, and Proxy Settings.
  • Proxy Settings are now restored when restoring an entry from History.
  • An entry will no longer move when restored from History, even if restored to a revision in which it was originally located elsewhere.
  • Web Client now ignores case in tag names.
  • System Admins can now subscribe to our forthcoming mailing list for security alerts and release announcements.
  • The Import Error dialog now contains a link to the log file that details which entries and folders will be adjusted by the import.
  • Added a Path column to the Password Expiry and Strength reports.


Bug Fixes

  • Fixed an issue where Custom Field names with certain special characters would cause errors on the Web Client.
  • Fixed an issue that could prevent new Administrative permissions from being added to existing admin roles during upgrades.
  • Fixed an issue that would prevent a credential from being moved from between folders with different Access Levels that have the same permissions, if the user did not have Granting authority in both the source and destination.
  • Fixed an issue that could cause upgrades from version 6 to version 7 to fail on MS SQL Server with the error "The incoming request has too many parameters"
  • Fixed an issue that could cause the "Manage Policies" page to become inaccessible if .NET Framework version 4.6 was installed.
  • Fixed an issue where KeePass could not be untrayed when Two-Factor Authentication was enabled.
  • Fixed an issue that would cause notifications to sometimes fail to send.
  • Fixed an issue where a Client Config could not be set to be enforced for 'Everyone'.
  • Fixed an issue where Password Server would potentially log edits to entries twice and if a comment was required for the edit, display two consecutive comment dialogs.
  • Fixed an issue where KeePass could encounter an error if an OAuth Token expired and required Two-Factor Authentication to refresh.
  • Fixed an issue in the KeePass Client where changes to folder icons would not be saved to the server and would thus be lost when KeePass next refreshed.
  • Fixed an issue where a folder that had been configured with a Credential Host for Password AutoChange could not be deleted.
  • Fixed an issue where KeePass would not immediately have access to the password of a duplicated entry.

Known Issues 

  • Old versions of Client apps that do not support the Usage Comment feature will not be able to perform actions that have "require comments" turned on.  Make sure you also have the latest KeePass Client if you wish to use these features.
  • Nested AD/LDAP groups cannot be imported in Password Server Version 7.0.1 - 7.3.5.
  • Internet Explorer 8 is no longer supported in Password Server Version ≥ 7.0.1.
  • In Internet Explorer, The Password Server must be viewed with Compatibility Mode turned off.  Some IE settings force intranet sites to be viewed in Compatibility Mode; if these settings cannot be disabled, accessing the Web Client using its fully qualified domain name can get around these settings.