Skip to content

Releases: Keeper-Security/Commander

Release 18.0.12

Choose a tag to compare

@sk-keeper sk-keeper released this 16 Jul 23:09

Keeper Commander release version v18.0.12

New Features

  • CNAPP integration commands — Added new commands and helpers for CNAPP (Cloud-Native Application Protection) integration.
  • Slack multi-channel approvals — Added setup for Slack multi-channel approvals and Slack record sync-down.=
  • Secrets Manager usage report — New secrets-manager usage report matching the KSM widgets in Admin Console.
  • pamGitHubConfiguration record support — Added support for the GitHub configuration record type in PAM.
  • NSF support in PAM commands — Added Native Shared Folder (NSF) folder and record support to PAM commands.
  • NSF support in workflow commands — Workflow commands now support Native Shared Folders.
  • Import from Bitwarden — Bitwarden collections are now mapped to Keeper folders during import.

Improvements

  • record-add self-destructrecord-add with self-destruct now returns the record UID and supports --format=json.
  • NSF child folder permissions — Support for denying permission inheritance from Commander when sharing or changing NSF child folder permissions.
  • transfer command help — Improved help text for the Managed Company transfer command.

Bug Fixes

  • Fixed a misleading communication error when assigning a team to an admin role.
  • Fixed whoami command failing for trial enterprise accounts.
  • Exposed the owner flag in classic shared folder get JSON output.
  • Fixed share-folder record expiration and Record Owner Edit (ROE) handling.
  • Fixed redundant full syncs during Docker Service Mode startup.
  • Fixed import command to only update records when in the same folder.

Release 18.0.11

Choose a tag to compare

@sk-keeper sk-keeper released this 08 Jul 00:07

Commander 18.0.11

Bug Fixes

  • Import command — Records are now only updated when they belong to the same folder as the import target.
  • PAM config list — Fixed CRON expression parsing dropping the seconds field from 6-part Quartz CRON expressions when displaying PAM configuration schedules.
  • SSO login over SSH — Fixed a failure when using SSO authentication in remote/SSH sessions where clipboard access (pyperclip) is unavailable.

Release 18.0.10

Choose a tag to compare

@sk-keeper sk-keeper released this 02 Jul 22:03

What's New in 18.0.10

New Features

  • Vault-style passphrase generation — Added passphrase generation to Commander CLI.

  • PAM action service map — New pam action service map command to map users to discovered Windows services.

  • PAM connection AI togglespam connection ai now supports --enabled/-e and --session-terminate/-st flags to configure resource-level AI settings.

Improvements

  • PAM graph migration — Service discovery migrated from the user service graph to the PAM graph.

Bug Fixes

  • Fixed KEEPER_SSL_CERT_FILE being ignored for SSL verification in REST, PAM, tunnel HTTP, and DAG connections.

  • Fixed nsf-mkdir to correctly resolve existing parent folder UIDs in paths instead of treating them as literal names.

  • Fixed non-owners being able to attach PAM rotation scripts; uploads are now flagged with is_script for server-side owner enforcement.

  • Fixed OS type detection by lowercasing the value before comparing against "windows".

  • Fixed mc_transfer_perform to respect the treeKeyTypeId property.

Release 18.0.9

Choose a tag to compare

@sk-keeper sk-keeper released this 23 Jun 15:49

New Features

  • KeeperAI PAM Connection Settings (pam connection ai)
    New command to manage KeeperAI settings on PAM resources and remote browser instances. Supports show, set, unset, and remove operations for AI configuration on PAM connections.

  • PAM Gateway Online Filter
    pam gateway list now accepts --online (-o) to filter results to only online gateways, along with gateway totals in the output.

  • Enterprise MSP Transfer
    Added support for transferring an enterprise to another MSP (KC-1024).

  • Thycotic Import: Selective Secret IDs
    import --format thycotic now accepts --secret-ids (comma-separated) to import or inspect specific secrets by ID — useful for debugging cases where the Thycotic lookup API omits secrets due to security policies.

  • KCM: Port Mapping Defaults and Empty User Handling
    KCM export now supports connections with empty user or port fields: missing ports fall back to protocol defaults (configurable via KCM_mappings.json), connections missing a user are logged for follow-up, and allow-file-uploads is available for RBI connections.

Bug Fixes

  • Security: SQL Injection in MSSQL Password Rotation
    Fixed a SQL injection vulnerability in MSSQL password rotation and added input validation to reject unsafe --password values.

  • PAM Rotation Edit: SaaS Profile Fix (DR-1280)
    Fixed an issue where pam rotation edit did not correctly apply SaaS profiles.

  • IAM User Link Rotation Request Shape
    Fixed the permission-check rotation request for IAM user links — configurationUid, matching revision, and an explicit empty resourceUid are now sent to correctly handle IAM rotation semantics.

  • NSF Share Expiration and Folder Labels (KC-1307–1310)

  • Fixed expiration updates for nsf-share-folder and nsf-share-record
  • Enforced a one-minute minimum on NSF and classic share expiration
  • Standardized list/search record_category output to lowercase (classic/nested)
  • Renamed Supershell Drive folder labels to Nested Shared Folder (Shared) and Nested Shared Folder (NonShared)

Enhancements

  • NSF Record Add/Update Policy Enforcement
    nsf-record-add and nsf-record-update now enforce GENERATED_PASSWORD_COMPLEXITY and RESTRICT_RECORD_TYPES enterprise policies.

Release 18.0.8

Choose a tag to compare

@sk-keeper sk-keeper released this 13 Jun 02:00

Keeper Commander 18.0.8

PAM: Expanded Database Protocol Support

  • pam connection edit and pam import now support seven additional database protocols: mariadb, oracle, mongodb, redis, elasticsearch, clickhouse, and dynamodb (in addition to the existing mysql, postgresql, and sql-server)

PAM: RBI (Remote Browser Isolation) Enhancements

  • pam rbi edit: new --session-persistence option with none, user, or resource modes
  • New RBI settings in pam import and pam extend: allow_file_uploads, allow_file_downloads, disable_audio, audio_channels, audio_bps, audio_sample_rate

PAM: Scrollback Buffer for Terminal and Database Connections

  • pam import/pam extend now support a scrollback setting for SSH, Kubernetes, CLI-capable database, and Windows Remote App connections — aligned with Web Vault behavior

get Command: Secret Field Masking

  • The get command now masks all secret-type fields and custom fields in --detail and --fields output, preventing accidental exposure of sensitive values in console output or logs

record-add: Label Control

  • New --labels=on/off flag to omit redundant labels on standard fields when creating records programmatically or via scripts

Bug Fixes

  • KSM: Fixed sync spinner corrupting console output
  • PAM/Discovery: Switched DAG transport to legacy JSON single-stream mode; removed use_per_graph_endpoints flag that caused routing errors
  • LastPass import: Handle Base64-encoded private keys during vault import
  • Docker: Fixed persistent login error handling in interactive console sessions; improved record lookup fallback in keeper get shell integration

MC Transfer Beta Release

Choose a tag to compare

@sk-keeper sk-keeper released this 08 Jun 22:17

Keeper Commander release version mc-transfer-beta

Release 18.0.7

Choose a tag to compare

@sk-keeper sk-keeper released this 07 Jun 04:12

Keeper Commander release v18.0.7

Bug fixes

  • kcm-import --output filename tighten file permissions

Release 18.0.6

Choose a tag to compare

@sk-keeper sk-keeper released this 05 Jun 23:12

Keeper Commander 18.0.6

New Features

  • Universal Secret Sync — New commands to configure and run synchronization of secrets across networks:
    • pam universal-sync-config (alias usc) — manage sync configurations with list/l, add/a, edit/e, and remove/rm subcommands.
    • pam universal-sync-run (alias usr) — run a configured Universal Sync.
  • pamCloudResource workflow support — pamCloudResource is now a supported workflow type.

Bug Fixes

  • pam launch crash on empty DAG parentRef — Fixed a crash when the DAG parentRef value was empty.
  • pam launch DAGPathException — Fixed via UID-exact vertex lookup with an added guard.
  • pam launch spurious error on logout — No longer shows a guacd_error notice on a normal logout).
  • pam connection edit — Fixed handling of connection settings and launch/admin credentials.
  • Service mode /health rate limiting — The /health endpoint is now exempt from the global API rate limit.

Release 18.0.5

Choose a tag to compare

@sk-keeper sk-keeper released this 05 Jun 05:22

Keeper Commander 18.0.5

✨ New Features

  • Universal Secret Sync — new commands for syncing secrets across providers.
  • Cloud secret import to Nested Shared Folders — import cloud secrets directly into Nested Shared Folders.
  • CyberArk import — import users and teams from CyberArk, with membership download support.
  • PAM RBI file transfers — added Remote Browser Isolation file uploads/downloads, plus pam connection edit --scrollback.
  • Combined folder searchfind/search now supports multiple -c flags to search across folders.
  • NSF folder data in share-reportshare-report now includes NSF (non-shared folder) data.

🐛 Bug Fixes

  • pam connection edit — fixed editing of connection settings and launch/admin credentials.
  • Service mode — exempt the /health endpoint from API rate limiting; fixed Service Mode delete response handling.
  • Tunnel — close and unregister the tube when the connection state changes to closed.
  • Nested Shared Folders CLI — fixed record updates and nested directory creation.
  • Enterprise — limit enterprise object name lengths; ei role column now a string instead of a dict.
  • Workflow — removed force-close escalation on lease expiry; soft-close only.
  • epm scim (AzureAD) — use UPN as the username; improved epm scim ad manual.
  • Slack — fixed keyring slack-app issue.
  • KCM import — resolved Windows file-permissions mismatch during sync.

🔧 Internal / Maintenance

  • Updated generated proto files.
  • Docker image build now uses the config.json file from params.

Release 18.0.4

Choose a tag to compare

@sk-keeper sk-keeper released this 26 May 23:48

Keeper Commander 18.0.4

Security

  • Service mode hardening: Restricted cross-API-key usage on GET requests and blocked command injection via line breaks in service-mode payloads.

New features

  • share-folder --roe / list-sf --roe-eligible: Added Restrict-Outside-Editing flags to share-folder and a matching filter to list-sf so you can find and create folders that are ROE-eligible.
  • list-sf now available in service mode: Added list-sf to the integration command list so it can be invoked over the REST service.
  • Platform-standard config location: config.json is now stored in the OS-appropriate user data folder by default (still overridable via KEEPER_CONFIG_FILE / --config).

Bug fixes

  • import --update duplicating Login records
  • Custom labels extended to login, url, oneTimeCode, and password