Overview

I've got several sites that all use the same credentials (all sites use the same DB behind the scenes).
Therefore the accounts all reference the password from the first account created, to make sure whenever I need to update the password all accounts are updated.

Currently one account was removed from that infrastructure and now has its own password.
After logging in the first time with that new password, KeePassYXC asked to update the account, to which aggreed.

While I expected it to replace the reference with the new password, KeePassXC instead did update the refrenced password in the first account, thus breaking all other accounts!
There was no warning, nor a did KeePassXC ask whether to replace the refrence or the referenced password!

Steps to Reproduce

1. have one account A with username, password for site A
2. create two more accounts B and C for sites B and C, referencing the password of account A
3. log in the site C with a different password
4. accept request to update account C(!)
5. learn that not account C was updated, but the password of account A

Expected Behavior

• update the actual account the update was requested for -- if it has a password reference, do not simply assume the referenced password should be updated, but rather replace the reference with the actual new password!
• ask whether the reference should be replaced with a new password or if the referenced password in account A should be updated

Actual Behavior

W/o warning or info the referenced password is updated, so instead of just one account all accounts are set to use the new password, which breaks all accounts except the one the update actually was requested for

Context

KeePassXC - Version 2.6.6
Revision: 9c108b9

Operating System: Linux
Desktop Env: KDE
Windowing System: X11