This huge password manager exploit may never get fixed

It’s been a bad few months for password managers — albeit mostly just for LastPass. But after the revelations that LastPass had suffered a major breach, attention is now turning to open-source manager KeePass.

Accusations have been flying that a new vulnerability allows hackers to surreptitiously steal a user’s entire password database in unencrypted plaintext. That’s an incredibly serious claim, but KeePass’s developers are disputing it.

A large monitor displaying a security hacking breach warning.
Stock Depot/Getty Images

KeePass is an open-source password manager that stores its contents on a user’s device, rather than in the cloud like rival offerings. Like many other apps, however, its password vault can be protected with a master password.

The vulnerability, logged as CVE-2023-24055, is available to anyone with write access to a user’s system. Once that’s been obtained, a threat actor can add commands to KeePass’s XML configuration file that automatically export the app’s database — including all usernames and passwords — into an unencrypted plaintext file.

Thanks to the changes made to the XML file, the process is all done automatically in the background, so users are not alerted that their database has been exported. The threat actor can then extract the exported database to a computer or server they control.

It won’t be fixed

A depiction of a hacker breaking into a system via the use of code.
Getty Images

However, the developers of KeePass have disputed the classification of the process as a vulnerability, since anyone who has write access to a device can get their hands on the password database using different (sometimes simpler) methods.

In other words, once someone has access to your device, this kind of XML exploit is unnecessary. Attackers could install a keylogger to get the master password, for instance. The line of reasoning is that worrying about this kind of attack is like shutting the door after the horse has bolted. If an attacker has access to your computer, fixing the XML exploit won’t help.

The solution, the developers argue, is “keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment.”

What can you do?

password manager lifestyle image

While KeePass’s developers appear unwilling to fix the issue, there are steps you can take yourself. The best thing to do is to create an enforced configuration file. This will take precedence over other config files, mitigating any malicious changes made by outside forces (such as that used in the database export vulnerability).

You’ll also need to make sure regular users do not have write access to any important files or folders contained within the KeePass directory, and that both the KeePass .exe file and the enforced configuration file are in the same folder.

And if you don’t feel comfortable continuing to use KeePass, there are plenty of other options. Try switching to one of the best password managers to keep your logins and credit card details safer than ever.

While this is undoubtedly more bad news for the world of password managers, these apps are still worth using. They can help you create strong, unique passwords that are encrypted on all your devices. That’s far safer than using “123456” for every account.

Today’s tech news, curated and condensed for your inbox



Check your inbox!

Please provide a valid email address to continue.

This email address is currently on file. If you are not receiving newsletters, please check your spam folder.

Sorry, an error occurred during subscription. Please try again later.

Editors’ Recommendations








Read More
Alex Blake

Latest

The 10 Best Vikings Players | Our Writers Cast Ballots

Dec 21, 2025; East Rutherford, New Jersey, USA; Minnesota Vikings wide receiver Justin Jefferson (18) makes a catch against the New York Giants during the first half at MetLife Stadium. Mandatory Credit: Vincent Carchietta-Imagn Images Among Vikings players, WR1 Justin Jefferson remains unchallenged as the best football player in the Twin Cities. He alone is

Cowboys safety Jalen Thompson receives votes among league’s best at position

We are a stone’s throw away from training camp beginning, and this being the case, the normal happenings of professional football will be dominating our lives on a day-to-day basis soon enough. The last few months have been an exercise in holding our attention until the real thing can. One of the best ways to

Indiana lands 5-star football recruit: Monshun Sales — nation’s No. 1 WR — commits to Curt Cignetti

The Hoosiers' first-ever, five-star commitment comes on the heels of IU's national championship run Jul 17, 2026 at 2:56 pm ET • 1 min read Imagn Images Indiana football landed the highest-rated recruit in program history on Friday when five-star wide receiver Monshun Sales committed to the Hoosiers, beating out finalists Alabama, LSU, Ohio State

Pros and Cons of Notre Dame’s 2026 Football Schedule

If you've heard anything about Notre Dame's schedule this coming season, you're aware that it isn't exactly setting the world on fire in terms of difficulty. The first six games Notre Dame plays come against that failed to qualify for bowl games last year. While that doesn't guarantee a similiar outcome for all in 2026

Newsletter

Don't miss

The 10 Best Vikings Players | Our Writers Cast Ballots

Dec 21, 2025; East Rutherford, New Jersey, USA; Minnesota Vikings wide receiver Justin Jefferson (18) makes a catch against the New York Giants during the first half at MetLife Stadium. Mandatory Credit: Vincent Carchietta-Imagn Images Among Vikings players, WR1 Justin Jefferson remains unchallenged as the best football player in the Twin Cities. He alone is

Cowboys safety Jalen Thompson receives votes among league’s best at position

We are a stone’s throw away from training camp beginning, and this being the case, the normal happenings of professional football will be dominating our lives on a day-to-day basis soon enough. The last few months have been an exercise in holding our attention until the real thing can. One of the best ways to

Indiana lands 5-star football recruit: Monshun Sales — nation’s No. 1 WR — commits to Curt Cignetti

The Hoosiers' first-ever, five-star commitment comes on the heels of IU's national championship run Jul 17, 2026 at 2:56 pm ET • 1 min read Imagn Images Indiana football landed the highest-rated recruit in program history on Friday when five-star wide receiver Monshun Sales committed to the Hoosiers, beating out finalists Alabama, LSU, Ohio State

Pros and Cons of Notre Dame’s 2026 Football Schedule

If you've heard anything about Notre Dame's schedule this coming season, you're aware that it isn't exactly setting the world on fire in terms of difficulty. The first six games Notre Dame plays come against that failed to qualify for bowl games last year. While that doesn't guarantee a similiar outcome for all in 2026

2 Vikings Included in PFN’s Top 100 Players of 2026

Minnesota Vikings receiver Justin Jefferson smiles during NFC practice for the Pro Bowl Games at Camping World Stadium, showing a relaxed side as players prepare for the weekend showcase. On Feb. 1, 2025, Jefferson takes part in the lighthearted session while the conference’s top players work through drills before the annual competition in Orlando. Mandatory

Grey Business processes $61 million as stablecoins dominate payments

Grey Business enables startups and SMEs to open US Dollar (USD) corporate accounts, send and receive international payments, convert currencies, and transact using stablecoins such as USDC and USDT...

Utah Marketers to Host Free Business Networking Event in Layton on June 24

The custom web design company is hosting free monthly networking events for Northern Utah business leaders, with the next event scheduled for June 24 from 4 to 6 p.m. Utah Marketers is hosting a free local business networking event on June 24 from 4 to 6 p.m. at the company’s Layton office. The event is

WellnessVibe Announces Business DNA Workshop in Delhi and Mumbai, where Ancient Sound Wisdom Meets Modern Business Strategy

WellnessVibe has officially announced the launch of its transformative Business DNA Workshop on 7th June 2026 in Delhi and 20th June 2026 in Mumbai. (1888PressRelease) June 03, 2026 - Delhi/Mumbai, India - WellnessVibe has officially announced the launch of its transformative Business DNA Workshop on 7th June 2026 in Delhi and 20th June 2026 in