Component: KDBX Export (Web Vault / Desktop App)
Severity: Critical — Data export is completely broken for affected users
Summary
Keeper's KDBX export feature produces files containing invalid XML control characters — specifically Unicode U+0010 ("Data Link Escape") — making the exported .kdbx file completely unreadable by both KeePass 2.x and KeePassXC. This effectively blocks users from exporting their vault data, including critical file attachments, in the only encrypted export format Keeper offers.
Environment
- Keeper Web Vault / Desktop App (latest version, March 2026)
- Exported file:
.kdbx format (~300 MB, containing significant file attachments)
- Tested with: KeePass 2.x (Windows), KeePassXC (Windows)
- OS: Windows
Steps to Reproduce
- Log into Keeper (Web Vault or Desktop App)
- Go to Settings → Export → Select KDBX format
- Set a KeePass master password
- Export the vault
- Attempt to open the exported
.kdbx file in KeePass 2.x or KeePassXC
Expected Behavior
The exported .kdbx file should open successfully in any standard KeePass-compatible application, with all records, custom fields, and file attachments intact.
Actual Behavior
KeePass 2.x error:
Failed to load the specified file!
'', hexadecimal value 0x10, is an invalid character. Line 2, position 375583.
KeePassXC error:
Error while reading the database: XML error:
Unexpected ''.
Line 2, column 375583
Both applications fail at the exact same position (Line 2, position/column 375583), confirming the issue is in the exported file, not the applications.
Root Cause Analysis
The character U+0010 (Data Link Escape) is a C0 control character that is explicitly forbidden in XML 1.0 documents. Per the W3C XML 1.0 specification, the only permitted characters below U+0020 are:
- U+0009 (Tab)
- U+000A (Line Feed)
- U+000D (Carriage Return)
All other control characters (0x00–0x08, 0x0B–0x0C, 0x0E–0x1F) are invalid. Keeper's KDBX serialization does not sanitize or escape these characters before writing them into the XML payload inside the KDBX container. The offending byte likely originates from a record's Notes field, custom field content, or file attachment metadata.
KeePass 1.x historically had this same problem and resolved it by adding a filter to strip invalid control characters during export.
Impact
- This bug makes the KDBX export feature completely non-functional for affected users
- KDBX is the only encrypted export format Keeper offers — CSV, JSON, and PDF exports are all plaintext
- Users who need to migrate away from Keeper, or whose subscriptions are expiring, cannot export their data in a secure, standard format
- File attachments are only included in KDBX exports (not CSV); users with significant attachment data (mine is ~300 MB) have no viable export path for their files
- Re-exporting produces the same corrupted file every time, since the invalid character lives in the vault data itself
- This is a data portability issue — users are effectively locked in
Community Reports
This issue has been reported/discussed by multiple users on Reddit's r/KeeperSecurity:
The Stack Overflow community has extensively documented that 0x10 is an invalid XML character: SO #19739043
Workarounds Attempted
| Workaround |
Result |
| Re-export from Keeper |
Same corrupted file (bad character persists in vault data) |
| KeePassXC (more lenient parser) |
Same failure, different error message |
| KeePass Repair Mode |
Not yet confirmed for this corruption type |
Commander CLI (export --format=keepass) |
Untested — may use same serialization |
Recommended Fix
Keeper's KDBX serializer should strip or escape XML-invalid control characters (U+0000–U+0008, U+000B–U+000C, U+000E–U+001F) from all string fields before writing them into the KDBX XML payload. This is the same approach KeePass 1.x adopted to fix this exact class of bug.
Specifically:
- Before serializing any string value to the KDBX XML, strip characters in ranges
0x00–0x08, 0x0B–0x0C, 0x0E–0x1F
- Optionally replace stripped characters with a safe placeholder (empty string or space)
- Apply this filter to: record titles, usernames, passwords, URLs, notes, custom fields, and attachment metadata
Request
Given that this bug prevents legitimate data export, I respectfully request that Keeper:
- Fix the KDBX serializer to sanitize invalid XML characters
- Consider extending subscriptions for affected users until the fix is deployed, so they can export their data properly
- Provide interim guidance — confirm whether Commander CLI's
--format=keepass export is also affected
Filed by a Keeper user. Vault contains ~300 MB of data including file attachments. Happy to provide additional diagnostic information or a sanitized sample of the corrupted region upon request.
PDF report version to share outside github (management for example): https://nskha.fra1.cdn.digitaloceanspaces.com/ShareX/2026/03/qGV94h24VA.pdf
Component: KDBX Export (Web Vault / Desktop App)
Severity: Critical — Data export is completely broken for affected users
Summary
Keeper's KDBX export feature produces files containing invalid XML control characters — specifically Unicode U+0010 ("Data Link Escape") — making the exported
.kdbxfile completely unreadable by both KeePass 2.x and KeePassXC. This effectively blocks users from exporting their vault data, including critical file attachments, in the only encrypted export format Keeper offers.Environment
.kdbxformat (~300 MB, containing significant file attachments)Steps to Reproduce
.kdbxfile in KeePass 2.x or KeePassXCExpected Behavior
The exported
.kdbxfile should open successfully in any standard KeePass-compatible application, with all records, custom fields, and file attachments intact.Actual Behavior
KeePass 2.x error:
KeePassXC error:
Both applications fail at the exact same position (Line 2, position/column 375583), confirming the issue is in the exported file, not the applications.
Root Cause Analysis
The character U+0010 (Data Link Escape) is a C0 control character that is explicitly forbidden in XML 1.0 documents. Per the W3C XML 1.0 specification, the only permitted characters below U+0020 are:
All other control characters (0x00–0x08, 0x0B–0x0C, 0x0E–0x1F) are invalid. Keeper's KDBX serialization does not sanitize or escape these characters before writing them into the XML payload inside the KDBX container. The offending byte likely originates from a record's Notes field, custom field content, or file attachment metadata.
KeePass 1.x historically had this same problem and resolved it by adding a filter to strip invalid control characters during export.
Impact
Community Reports
This issue has been reported/discussed by multiple users on Reddit's r/KeeperSecurity:
The Stack Overflow community has extensively documented that 0x10 is an invalid XML character: SO #19739043
Workarounds Attempted
export --format=keepass)Recommended Fix
Keeper's KDBX serializer should strip or escape XML-invalid control characters (U+0000–U+0008, U+000B–U+000C, U+000E–U+001F) from all string fields before writing them into the KDBX XML payload. This is the same approach KeePass 1.x adopted to fix this exact class of bug.
Specifically:
0x00–0x08,0x0B–0x0C,0x0E–0x1FRequest
Given that this bug prevents legitimate data export, I respectfully request that Keeper:
--format=keepassexport is also affectedFiled by a Keeper user. Vault contains ~300 MB of data including file attachments. Happy to provide additional diagnostic information or a sanitized sample of the corrupted region upon request.
PDF report version to share outside github (management for example): https://nskha.fra1.cdn.digitaloceanspaces.com/ShareX/2026/03/qGV94h24VA.pdf