This huge password manager exploit may never get fixed

It’s been a bad few months for password managers — albeit mostly just for LastPass. But after the revelations that LastPass had suffered a major breach, attention is now turning to open-source manager KeePass.

Accusations have been flying that a new vulnerability allows hackers to surreptitiously steal a user’s entire password database in unencrypted plaintext. That’s an incredibly serious claim, but KeePass’s developers are disputing it.

A large monitor displaying a security hacking breach warning.
Stock Depot/Getty Images

KeePass is an open-source password manager that stores its contents on a user’s device, rather than in the cloud like rival offerings. Like many other apps, however, its password vault can be protected with a master password.

The vulnerability, logged as CVE-2023-24055, is available to anyone with write access to a user’s system. Once that’s been obtained, a threat actor can add commands to KeePass’s XML configuration file that automatically export the app’s database — including all usernames and passwords — into an unencrypted plaintext file.

Thanks to the changes made to the XML file, the process is all done automatically in the background, so users are not alerted that their database has been exported. The threat actor can then extract the exported database to a computer or server they control.

It won’t be fixed

A depiction of a hacker breaking into a system via the use of code.
Getty Images

However, the developers of KeePass have disputed the classification of the process as a vulnerability, since anyone who has write access to a device can get their hands on the password database using different (sometimes simpler) methods.

In other words, once someone has access to your device, this kind of XML exploit is unnecessary. Attackers could install a keylogger to get the master password, for instance. The line of reasoning is that worrying about this kind of attack is like shutting the door after the horse has bolted. If an attacker has access to your computer, fixing the XML exploit won’t help.

The solution, the developers argue, is “keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment.”

What can you do?

password manager lifestyle image

While KeePass’s developers appear unwilling to fix the issue, there are steps you can take yourself. The best thing to do is to create an enforced configuration file. This will take precedence over other config files, mitigating any malicious changes made by outside forces (such as that used in the database export vulnerability).

You’ll also need to make sure regular users do not have write access to any important files or folders contained within the KeePass directory, and that both the KeePass .exe file and the enforced configuration file are in the same folder.

And if you don’t feel comfortable continuing to use KeePass, there are plenty of other options. Try switching to one of the best password managers to keep your logins and credit card details safer than ever.

While this is undoubtedly more bad news for the world of password managers, these apps are still worth using. They can help you create strong, unique passwords that are encrypted on all your devices. That’s far safer than using “123456” for every account.

Today’s tech news, curated and condensed for your inbox



Check your inbox!

Please provide a valid email address to continue.

This email address is currently on file. If you are not receiving newsletters, please check your spam folder.

Sorry, an error occurred during subscription. Please try again later.

Editors’ Recommendations








Read More
Alex Blake

Latest

Madison Square Garden Sues Wired for Defamation Over Coverage of Leaked Celebrity Database

Photo Credit: Andrew Nyr / CC by 4.0 Madison Square Garden is filing a defamation suit against Wired for alleged defamation over the outlet’s coverage of the leaked MSG celebrity database. Madison Square Garden Entertainment is suing Advance Magazine Publishers, the publisher of Wired, over the outlet’s coverage of a leaked MSG database containing the

RugOne Xlink 7 review: A sophisticated rugged 4G walkie-talkie for populated wilderness, but not truly remote regions

TechRadar Verdict I can’t fault the execution of the RugOne Xlink 7, because the device ticks all the boxes for toughness and reliable communications. My issue is with 4G comms, which, by definition, make this device unsuitable for remote locations. Pros + Rugged and compact + Global 4G group calling + Impressive accessory bundle +

Interview: Dan Cherowbrier, CTO, Formula E

Lots of digital leaders must keep multiple plates spinning. After all, being a successful technology chief in the modern era means ensuring nothing falls crashing to the floor. Yet for Dan Cherowbrier, chief technology officer (CTO) at Formula E, the number of plates is bewildering. “It’s the most unique job you could ever imagine, because

NatWest signs up to quantum trial for fraud detection

The retail bank is one of 11 organisations testing quantum technologies as part of Digital Catapult’s quantum technology access programme By Cliff Saran, Managing Editor Published: 17 Jul 2026 12:05 Eleven organisations, including NatWest, have joined Digital Catapult’s Quantum Technology Access Programme (QTAP), delivered in collaboration with the National Quantum Computing Centre’s (NQCC) SparQ programme. 

Newsletter

Don't miss

Madison Square Garden Sues Wired for Defamation Over Coverage of Leaked Celebrity Database

Photo Credit: Andrew Nyr / CC by 4.0 Madison Square Garden is filing a defamation suit against Wired for alleged defamation over the outlet’s coverage of the leaked MSG celebrity database. Madison Square Garden Entertainment is suing Advance Magazine Publishers, the publisher of Wired, over the outlet’s coverage of a leaked MSG database containing the

RugOne Xlink 7 review: A sophisticated rugged 4G walkie-talkie for populated wilderness, but not truly remote regions

TechRadar Verdict I can’t fault the execution of the RugOne Xlink 7, because the device ticks all the boxes for toughness and reliable communications. My issue is with 4G comms, which, by definition, make this device unsuitable for remote locations. Pros + Rugged and compact + Global 4G group calling + Impressive accessory bundle +

Interview: Dan Cherowbrier, CTO, Formula E

Lots of digital leaders must keep multiple plates spinning. After all, being a successful technology chief in the modern era means ensuring nothing falls crashing to the floor. Yet for Dan Cherowbrier, chief technology officer (CTO) at Formula E, the number of plates is bewildering. “It’s the most unique job you could ever imagine, because

NatWest signs up to quantum trial for fraud detection

The retail bank is one of 11 organisations testing quantum technologies as part of Digital Catapult’s quantum technology access programme By Cliff Saran, Managing Editor Published: 17 Jul 2026 12:05 Eleven organisations, including NatWest, have joined Digital Catapult’s Quantum Technology Access Programme (QTAP), delivered in collaboration with the National Quantum Computing Centre’s (NQCC) SparQ programme. 

Bitcoin reclaiming its $69,000 holder cost basis could open XRP’s path to $1.26

Bitcoin’s move toward $69,000 would put XRP near $1.20, with renewed strength against BTC opening a path toward $1.26. Jul. 17, 2026 at 11:35 am GMT 3 min read Glassnode says Bitcoin’s $69,000 short-term holder cost basis is the next recovery test for the market and XRP. If Bitcoin reclaims it, XRP could hold near

Grey Business processes $61 million as stablecoins dominate payments

Grey Business enables startups and SMEs to open US Dollar (USD) corporate accounts, send and receive international payments, convert currencies, and transact using stablecoins such as USDC and USDT...

Utah Marketers to Host Free Business Networking Event in Layton on June 24

The custom web design company is hosting free monthly networking events for Northern Utah business leaders, with the next event scheduled for June 24 from 4 to 6 p.m. Utah Marketers is hosting a free local business networking event on June 24 from 4 to 6 p.m. at the company’s Layton office. The event is

WellnessVibe Announces Business DNA Workshop in Delhi and Mumbai, where Ancient Sound Wisdom Meets Modern Business Strategy

WellnessVibe has officially announced the launch of its transformative Business DNA Workshop on 7th June 2026 in Delhi and 20th June 2026 in Mumbai. (1888PressRelease) June 03, 2026 - Delhi/Mumbai, India - WellnessVibe has officially announced the launch of its transformative Business DNA Workshop on 7th June 2026 in Delhi and 20th June 2026 in