Releases: Keeper-Security/Commander
Release list
Release 18.0.12
Keeper Commander release version v18.0.12
New Features
- CNAPP integration commands — Added new commands and helpers for CNAPP (Cloud-Native Application Protection) integration.
- Slack multi-channel approvals — Added setup for Slack multi-channel approvals and Slack record sync-down.=
- Secrets Manager usage report — New
secrets-managerusage report matching the KSM widgets in Admin Console. pamGitHubConfigurationrecord support — Added support for the GitHub configuration record type in PAM.- NSF support in PAM commands — Added Native Shared Folder (NSF) folder and record support to PAM commands.
- NSF support in workflow commands — Workflow commands now support Native Shared Folders.
- Import from Bitwarden — Bitwarden collections are now mapped to Keeper folders during import.
Improvements
record-addself-destruct —record-addwith self-destruct now returns the record UID and supports--format=json.- NSF child folder permissions — Support for denying permission inheritance from Commander when sharing or changing NSF child folder permissions.
transfercommand help — Improved help text for the Managed Companytransfercommand.
Bug Fixes
- Fixed a misleading communication error when assigning a team to an admin role.
- Fixed
whoamicommand failing for trial enterprise accounts. - Exposed the
ownerflag in classic shared foldergetJSON output. - Fixed
share-folderrecord expiration and Record Owner Edit (ROE) handling. - Fixed redundant full syncs during Docker Service Mode startup.
- Fixed import command to only update records when in the same folder.
Release 18.0.11
Commander 18.0.11
Bug Fixes
- Import command — Records are now only updated when they belong to the same folder as the import target.
- PAM config list — Fixed CRON expression parsing dropping the seconds field from 6-part Quartz CRON expressions when displaying PAM configuration schedules.
- SSO login over SSH — Fixed a failure when using SSO authentication in remote/SSH sessions where clipboard access (pyperclip) is unavailable.
Release 18.0.10
What's New in 18.0.10
New Features
-
Vault-style passphrase generation — Added passphrase generation to Commander CLI.
-
PAM action service map — New
pam action service mapcommand to map users to discovered Windows services. -
PAM connection AI toggles —
pam connection ainow supports--enabled/-eand--session-terminate/-stflags to configure resource-level AI settings.
Improvements
- PAM graph migration — Service discovery migrated from the user service graph to the PAM graph.
Bug Fixes
-
Fixed
KEEPER_SSL_CERT_FILEbeing ignored for SSL verification in REST, PAM, tunnel HTTP, and DAG connections. -
Fixed
nsf-mkdirto correctly resolve existing parent folder UIDs in paths instead of treating them as literal names. -
Fixed non-owners being able to attach PAM rotation scripts; uploads are now flagged with
is_scriptfor server-side owner enforcement. -
Fixed OS type detection by lowercasing the value before comparing against
"windows". -
Fixed
mc_transfer_performto respect thetreeKeyTypeIdproperty.
Release 18.0.9
New Features
-
KeeperAI PAM Connection Settings (pam connection ai)
New command to manage KeeperAI settings on PAM resources and remote browser instances. Supports show, set, unset, and remove operations for AI configuration on PAM connections. -
PAM Gateway Online Filter
pam gateway list now accepts --online (-o) to filter results to only online gateways, along with gateway totals in the output. -
Enterprise MSP Transfer
Added support for transferring an enterprise to another MSP (KC-1024). -
Thycotic Import: Selective Secret IDs
import --format thycoticnow accepts --secret-ids (comma-separated) to import or inspect specific secrets by ID — useful for debugging cases where the Thycotic lookup API omits secrets due to security policies. -
KCM: Port Mapping Defaults and Empty User Handling
KCM export now supports connections with empty user or port fields: missing ports fall back to protocol defaults (configurable via KCM_mappings.json), connections missing a user are logged for follow-up, and allow-file-uploads is available for RBI connections.
Bug Fixes
-
Security: SQL Injection in MSSQL Password Rotation
Fixed a SQL injection vulnerability in MSSQL password rotation and added input validation to reject unsafe --password values. -
PAM Rotation Edit: SaaS Profile Fix (DR-1280)
Fixed an issue where pam rotation edit did not correctly apply SaaS profiles. -
IAM User Link Rotation Request Shape
Fixed the permission-check rotation request for IAM user links — configurationUid, matching revision, and an explicit empty resourceUid are now sent to correctly handle IAM rotation semantics. -
NSF Share Expiration and Folder Labels (KC-1307–1310)
- Fixed expiration updates for nsf-share-folder and nsf-share-record
- Enforced a one-minute minimum on NSF and classic share expiration
- Standardized list/search record_category output to lowercase (classic/nested)
- Renamed Supershell Drive folder labels to Nested Shared Folder (Shared) and Nested Shared Folder (NonShared)
Enhancements
- NSF Record Add/Update Policy Enforcement
nsf-record-add and nsf-record-update now enforce GENERATED_PASSWORD_COMPLEXITY and RESTRICT_RECORD_TYPES enterprise policies.
Release 18.0.8
Keeper Commander 18.0.8
PAM: Expanded Database Protocol Support
pam connection editandpam importnow support seven additional database protocols: mariadb, oracle, mongodb, redis, elasticsearch, clickhouse, and dynamodb (in addition to the existing mysql, postgresql, and sql-server)
PAM: RBI (Remote Browser Isolation) Enhancements
pam rbi edit: new --session-persistence option with none, user, or resource modes- New RBI settings in
pam importandpam extend: allow_file_uploads, allow_file_downloads, disable_audio, audio_channels, audio_bps, audio_sample_rate
PAM: Scrollback Buffer for Terminal and Database Connections
- pam import/pam extend now support a scrollback setting for SSH, Kubernetes, CLI-capable database, and Windows Remote App connections — aligned with Web Vault behavior
get Command: Secret Field Masking
- The get command now masks all secret-type fields and custom fields in --detail and --fields output, preventing accidental exposure of sensitive values in console output or logs
record-add: Label Control
- New --labels=on/off flag to omit redundant labels on standard fields when creating records programmatically or via scripts
Bug Fixes
- KSM: Fixed sync spinner corrupting console output
- PAM/Discovery: Switched DAG transport to legacy JSON single-stream mode; removed use_per_graph_endpoints flag that caused routing errors
- LastPass import: Handle Base64-encoded private keys during vault import
- Docker: Fixed persistent login error handling in interactive console sessions; improved record lookup fallback in keeper get shell integration
MC Transfer Beta Release
Keeper Commander release version mc-transfer-beta
Release 18.0.7
Keeper Commander release v18.0.7
Bug fixes
kcm-import --output filenametighten file permissions
Release 18.0.6
Keeper Commander 18.0.6
New Features
- Universal Secret Sync — New commands to configure and run synchronization of secrets across networks:
pam universal-sync-config(alias usc) — manage sync configurations with list/l, add/a, edit/e, and remove/rm subcommands.pam universal-sync-run(alias usr) — run a configured Universal Sync.
- pamCloudResource workflow support — pamCloudResource is now a supported workflow type.
Bug Fixes
pam launchcrash on empty DAG parentRef — Fixed a crash when the DAG parentRef value was empty.pam launchDAGPathException — Fixed via UID-exact vertex lookup with an added guard.pam launchspurious error on logout — No longer shows a guacd_error notice on a normal logout).pam connection edit— Fixed handling of connection settings and launch/admin credentials.- Service mode /health rate limiting — The /health endpoint is now exempt from the global API rate limit.
Release 18.0.5
Keeper Commander 18.0.5
✨ New Features
- Universal Secret Sync — new commands for syncing secrets across providers.
- Cloud secret import to Nested Shared Folders — import cloud secrets directly into Nested Shared Folders.
- CyberArk import — import users and teams from CyberArk, with membership download support.
- PAM RBI file transfers — added Remote Browser Isolation file uploads/downloads, plus
pam connection edit --scrollback. - Combined folder search —
find/search now supports multiple-cflags to search across folders. - NSF folder data in share-report —
share-reportnow includes NSF (non-shared folder) data.
🐛 Bug Fixes
pam connection edit— fixed editing of connection settings and launch/admin credentials.- Service mode — exempt the
/healthendpoint from API rate limiting; fixed Service Mode delete response handling. - Tunnel — close and unregister the tube when the connection state changes to closed.
- Nested Shared Folders CLI — fixed record updates and nested directory creation.
- Enterprise — limit enterprise object name lengths;
eirole column now a string instead of a dict. - Workflow — removed force-close escalation on lease expiry; soft-close only.
epm scim(AzureAD) — use UPN as the username; improvedepm scim admanual.- Slack — fixed keyring slack-app issue.
- KCM import — resolved Windows file-permissions mismatch during sync.
🔧 Internal / Maintenance
- Updated generated proto files.
- Docker image build now uses the
config.jsonfile from params.
Release 18.0.4
Keeper Commander 18.0.4
Security
- Service mode hardening: Restricted cross-API-key usage on GET requests and blocked command injection via line breaks in service-mode payloads.
New features
share-folder --roe/list-sf --roe-eligible: Added Restrict-Outside-Editing flags to share-folder and a matching filter to list-sf so you can find and create folders that are ROE-eligible.list-sfnow available in service mode: Added list-sf to the integration command list so it can be invoked over the REST service.- Platform-standard config location: config.json is now stored in the OS-appropriate user data folder by default (still overridable via KEEPER_CONFIG_FILE / --config).
Bug fixes
import --updateduplicating Login records- Custom labels extended to login, url, oneTimeCode, and password