Version v7.6.4

With KeePass Client v7.6.3

Release Date

Apr 19th, 2017

These Release Notes detail the differences between this release and the last version of any type.

Download Here

Upgrade Instructions


  • Vulnerability Patch
    • Summary:
      • Extra confidential information could be made accessible only for accounts that have already been compromised by other means.
    • Requirements:
      1. An unauthorized user would have to have already obtained the correct username and password
      2. An unauthorized user would have to have knowledge of login requirements.
    • Scope of Impact:
      • User would have to already have gained access to an authorized account on the Password Server.
      • The entries along with any further activities would display as usual in Password Server's auditing and history features.
    • Status:
      • This vulnerability has been fixed in this release.
      • Companies will be given 3 months to deploy this patch, before more specific information regarding the vulnerability is revealed.
      • Update:
        • One type of two-factor authentication would be too lenient in validating responses that are similar but not an exact match. Exploiting this would require the login account password to already be known and for the second factor to be similar to the correct response.
          Risks would be further mitigated by a standard user lockout policy which locks after multiple failed login attempts, as repeated attempts would be required for unauthorized persons to gain access within the timed period.
          This issue was fixed in version 7.6.4 and later releases, and no further action is required from administrators after updating.
    • Versions Affected: 7.0.1 - 7.6.3



  • Self-Enrollment is now available for RADIUS Two-Factor Users
  • Improvements to Active Directory performance
  • Syncing a Directory User will now update their username if it has changed since they were imported
  • The "Security" dialog in the Web Client has been renamed to "User Access" for clarity.  The "View Security" access permission has been renamed to "View User Access" to reflect this.
  • The "Permissions" access permission has been renamed to "Permit Granting" for clarity.
  • The temporary placeholder certificate will now use SHA-2.  This change does not affect existing certificates.  It is recommended that System Admins configure their Password Server with a Self-Signed Certificate or a 3rd Party Certificate
  • Disabled users will no longer appear in the dropdowns for User Access, Comment Settings, Notification Settings
  • Enterprise+ customers can now change the background colour of the Web Client in Settings > Appearance.
  • Enterprise+ options related to the appearance of the Web Client have been consolidated in Settings > Appearance.

Bug Fixes

  • Fixed an issue where the Policy rules regarding changes to a user's display name, phone number and email where not being applied for Reset Users
  • All attempts to reset a user's password are now logged whether they succeed or fail.  Audit logs of failed attempts will record the username of the account
  • Fixed an issue where users with access to permit other users to Grant access to folders and entries could grant Access Levels containing the following without having the correct Grant access: Grant View User Access, Grant Modify Notification Settings, Grant Modify Comment Settings, Grant Modify Password AutoChange, Grant View Recorded Sessions
  • RDP SSO Server now properly creates the SSO Root Certificate if it does not already exist
  • Fixed an issue where the Launch RDP SSO links were not starting RDP SSO Client. Requires users to update their RDP SSO Client from the SSO Server Status page
  • Changing the sorting in a Folder will no longer cause hidden Custom Field columns to become shown.

Compatibility Notes

  • none