We are excited to announce the release of Netwrix Password Secure 26.6.100. This release brings French language support to the full product suite, meaningful security and compliance improvements, and a wide range of fixes across the server, web app, Windows app, browser extension, and SDK.
This release contains breaking changes. All administrators are strongly encouraged to read the full changelog carefully before deploying this update to a production environment.
Want the full details? Click the link below!
Highlights
Password Secure is now available in French
French has been added as a supported language across the entire Password Secure suite, including the web app, Windows app, server, server manager, browser extension, autofill add-on, and offline add-on. French-speaking users can now work in their preferred language from day one.
New logbook visibility controls for compliance
Two new user rights give administrators finer control over what non-administrative users can see in the logbook. “Can see client connection info in logbook” controls visibility of IP addresses, MAC addresses, and computer names. “Can see administrative logbook events” hides administrative event types from users who don’t need to see them. Both rights default to enabled for database administrators and disabled for all other users, supporting compliance with GDPR, HIPAA, and SOX requirements.
New right to protect user settings from unauthorized changes
A new user right — “Can manage user rights and options from third users and roles” — prevents users who lack this right from viewing or modifying the user rights and settings of other users, organizational units, and roles. “Read” rights on another user, OU, or role are now also required before their rights and options can be accessed at all.
Security advisory fixes (breaking changes)
This release addresses a security vulnerability (ADV-2026-008) that allowed any authenticated user to remotely invoke sensitive server-level operations without authorization. Three mitigations have been applied:
- Server key creation is now restricted to local server calls only and is no longer reachable over the network.
- HSM/PKCS#11 configuration operations now require database administrator rights and are limited to requests from localhost.
- PKCS#11 library path validation is now strictly enforced, rejecting network and UNC paths and requiring a valid code-signing certificate before a library is loaded.
Before upgrading, ensure your configured PKCS#11 library is on a local path and carries a valid code-signing certificate. Read the full advisory in the community.
New
| Description |
|---|
| Two new user rights have been introduced to restrict logbook visibility for non-administrative users. “Can see client connection info in logbook” controls visibility of client connection details such as IP addresses, MAC addresses, and computer names. “Can see administrative logbook events” controls visibility of administrative event types, hiding events belonging to other users when not granted. Both rights default to enabled for database administrators and disabled for all other users, supporting compliance with GDPR, HIPAA, and SOX. |
| French has been added as a supported language across the full Password Secure suite, including the autofill add-on, browser extension, offline add-on, server, server manager, web app, and Windows app. |
Improved
| Description |
|---|
| It is no longer necessary to define a last name when creating or editing a user. This resolves compatibility issues with Active Directory and Entra ID, and also resolves an issue where passwords of users without a last name could not be reset. |
| Some option names related to the browser extension were renamed and moved to a new category called “Browser extension.” |
| When creating API keys, it is no longer possible to select a “Custom” scope without defining object types. |
| A new user right, “Can manage user rights and options from third users and roles,” prevents users without this right from viewing or updating the rights and settings of other users, organizational units, and roles. “Read” rights on another user, OU, or role are now required to read their rights and options. |
| The look of the toggle switch in the filter for defining whether every criterion must match has been updated. |
| The wording of various texts across the solution has been updated for clarity and brevity. |
Bug fixes
The following table contains a comprehensive list of updates and fixes introduced in this version.
| Component | Description | Case # | Escalation # |
|---|---|---|---|
| Server | An error caused the database to lose all password and document history when you permanently deleted a user, an organizational unit, or a role using the Windows Application (version 9.3.1 to 26.5.1). | 441585 | |
| Breaking changes! We fixed two security advisories. You can read more about it here in the community. | 436133 | ||
| An issue caused server methods without authentication, like the HealthCheck, to fail. | 436749 | ||
| Web app | You can now change the server-side language of a user without changing another property. | 439508 | |
| The CSV import in the web application now works correctly in both the advanced and basic views. | 422673 | ||
| It is now possible to store IPv6 values in fields of type “IP address”. | 435762 | 4309362 | |
| Several design issues from the latest web application redesign no longer appear. | 419911, 440103, 419909 | ||
| The context menus in the “Applications” module and the list of directory services showed some entries like “Tags” twice. This is no longer the case; every entry is available only once. | 435607 | ||
| Windows app | The column headers of data printouts are now visible again when you run them via the Windows Application. | 436816 | 4309250 |
| Web app + Windows app | An incorrect German translation caused a logbook event to display as a duplicate. This issue no longer occurs. | 438413 | |
| .NET SDK | An issue in the .NET SDK affected role creation and modification (PsrRole object). This issue no longer occurs. | 439513 | |
| Browser Extension | The icon in the browser extension notifying a user about not executed autofill now has the normal size again. | 425352 |
Compatibility
The following client versions are compatible with Netwrix Password Secure Application Server 26.6.100:
- Windows & Web App: >= 26.3.100
- Browser Extensions & API/SDK: >= 26.3.100
Note: Areas affected by the changes in this release, such as the logbook, may show reduced data compared to before, even when using older compatible client versions.
Need help with this update?
There are many different ways to get help with our products!
| Situation | Action |
|---|---|
| If you feel the product is broken and not working as intended… | Contact Support |
| If you have a question you’d like to ask other experts… | Create a discussion in the community: Password Secure > Discussions & Questions |
| If you have a feature request… | Let our product team know directly: Password Secure > Ideas |
| If you have something cool to show… | Show everyone what you built: Password Secure > Show & Tell |
What are your thoughts?
We are always happy to hear from our users on what you like, and what you hope to see in the future. Please, share your thoughts below!