Threat Watch

Potential KeePass Flaw Discovered Allowing Plaintext Vault Export

The development team at KeePass is contesting what is being referred to as a recently discovered weakness that enables attackers to covertly export the full password vault in plain text. KeePass is similar to other password managers, however, where password managers like LastPass or Bitwarden are hosted in the cloud, the encrypted KeePass vault is kept locally on a user’s computer.

With write access to a target’s system, the recently discovered vulnerability (CVE-2023-24055) allows threat actors to change the KeePass XML configuration file and insert a malicious trigger that would export the vault in its entirety, including all usernames and passwords in cleartext. The export rule will be activated, and the contents of the vault will be stored to a file that the attackers may subsequently exfiltrate once the victim starts KeePass and enters the master password to open and decrypt the vault. Additionally, the threat actor can silently access all of the saved passwords because this export process begins in the background without alerting the user or requiring the master password to be supplied as confirmation.

Users have asked the KeePass development team to release a version of the program without the export capability or to add a confirmation box before vault contents can be exported. Another request is to include a configurable flag that would make it impossible to export data from the actual KeePass database and could only be toggled using the master password.


This “vulnerability” is controversial from the perspective of KeePass and other information security practitioners. Both parties point out that a user’s failure to secure write access to the KeePass configuration file isn’t an inherent vulnerability with KeePass itself. Furthermore, if a threat actor is able to access a properly protected configuration file, the potential to steal the contents of the victims KeePass vault is nearly endless. For example, a threat actor could replace the KeePass binary with an infected version, install a keylogging program to intercept the master password, read the contents of a decrypted database from memory, and more. However, the addition of the user requests listed above could help mitigate unprivileged attacks against the KeePass vault in the event that a user improperly secured their configuration file.