Skip to content

Bug Report: KDBX Export Produces Invalid XML, Cannot Open in KeePass or KeePassXC #1913

Description

@silvyyuliana

Component: KDBX Export (Web Vault / Desktop App)
Severity: Critical — Data export is completely broken for affected users


Summary

Keeper's KDBX export feature produces files containing invalid XML control characters — specifically Unicode U+0010 ("Data Link Escape") — making the exported .kdbx file completely unreadable by both KeePass 2.x and KeePassXC. This effectively blocks users from exporting their vault data, including critical file attachments, in the only encrypted export format Keeper offers.

Environment

  • Keeper Web Vault / Desktop App (latest version, March 2026)
  • Exported file: .kdbx format (~300 MB, containing significant file attachments)
  • Tested with: KeePass 2.x (Windows), KeePassXC (Windows)
  • OS: Windows

Steps to Reproduce

  1. Log into Keeper (Web Vault or Desktop App)
  2. Go to Settings → Export → Select KDBX format
  3. Set a KeePass master password
  4. Export the vault
  5. Attempt to open the exported .kdbx file in KeePass 2.x or KeePassXC

Expected Behavior

The exported .kdbx file should open successfully in any standard KeePass-compatible application, with all records, custom fields, and file attachments intact.

Actual Behavior

KeePass 2.x error:

Failed to load the specified file!
'', hexadecimal value 0x10, is an invalid character. Line 2, position 375583.

KeePassXC error:

Error while reading the database: XML error:
Unexpected ''.
Line 2, column 375583

Both applications fail at the exact same position (Line 2, position/column 375583), confirming the issue is in the exported file, not the applications.

Root Cause Analysis

The character U+0010 (Data Link Escape) is a C0 control character that is explicitly forbidden in XML 1.0 documents. Per the W3C XML 1.0 specification, the only permitted characters below U+0020 are:

  • U+0009 (Tab)
  • U+000A (Line Feed)
  • U+000D (Carriage Return)

All other control characters (0x00–0x08, 0x0B–0x0C, 0x0E–0x1F) are invalid. Keeper's KDBX serialization does not sanitize or escape these characters before writing them into the XML payload inside the KDBX container. The offending byte likely originates from a record's Notes field, custom field content, or file attachment metadata.

KeePass 1.x historically had this same problem and resolved it by adding a filter to strip invalid control characters during export.

Impact

  • This bug makes the KDBX export feature completely non-functional for affected users
  • KDBX is the only encrypted export format Keeper offers — CSV, JSON, and PDF exports are all plaintext
  • Users who need to migrate away from Keeper, or whose subscriptions are expiring, cannot export their data in a secure, standard format
  • File attachments are only included in KDBX exports (not CSV); users with significant attachment data (mine is ~300 MB) have no viable export path for their files
  • Re-exporting produces the same corrupted file every time, since the invalid character lives in the vault data itself
  • This is a data portability issue — users are effectively locked in

Community Reports

This issue has been reported/discussed by multiple users on Reddit's r/KeeperSecurity:

The Stack Overflow community has extensively documented that 0x10 is an invalid XML character: SO #19739043

Workarounds Attempted

Workaround Result
Re-export from Keeper Same corrupted file (bad character persists in vault data)
KeePassXC (more lenient parser) Same failure, different error message
KeePass Repair Mode Not yet confirmed for this corruption type
Commander CLI (export --format=keepass) Untested — may use same serialization

Recommended Fix

Keeper's KDBX serializer should strip or escape XML-invalid control characters (U+0000–U+0008, U+000B–U+000C, U+000E–U+001F) from all string fields before writing them into the KDBX XML payload. This is the same approach KeePass 1.x adopted to fix this exact class of bug.

Specifically:

  1. Before serializing any string value to the KDBX XML, strip characters in ranges 0x00–0x08, 0x0B–0x0C, 0x0E–0x1F
  2. Optionally replace stripped characters with a safe placeholder (empty string or space)
  3. Apply this filter to: record titles, usernames, passwords, URLs, notes, custom fields, and attachment metadata

Request

Given that this bug prevents legitimate data export, I respectfully request that Keeper:

  1. Fix the KDBX serializer to sanitize invalid XML characters
  2. Consider extending subscriptions for affected users until the fix is deployed, so they can export their data properly
  3. Provide interim guidance — confirm whether Commander CLI's --format=keepass export is also affected

Filed by a Keeper user. Vault contains ~300 MB of data including file attachments. Happy to provide additional diagnostic information or a sanitized sample of the corrupted region upon request.

PDF report version to share outside github (management for example): https://nskha.fra1.cdn.digitaloceanspaces.com/ShareX/2026/03/qGV94h24VA.pdf

Metadata

Metadata

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions