www.belgium.be Logo of the federal government

Warning - An attacker who has write access to the KeePass configuration file can modify it and inject malicious triggers

Advisory #2023-0011
Affected software: 
KeePass Password Safe
Unauthenticated RCE, Information disclosure



Keepass - https://keepass.info/help/kb/sec_issues.html#cfgw


An attacker who has write access to the KeePass configuration file can modify it and inject malicious triggers, e.g to obtain the cleartext passwords by adding an export trigger.


KeePass features an event-condition-action trigger system. With this system workflows can be automated. An attacker could abuse this feature by injecting malicious triggers in the KeePass configuration file.

The Keepass knowledge base article regarding security issues indicates having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection).

These attacks can only be prevented by keeping the environment secure by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc. Therefore, no patch will be provided.

Other projects supporting KeePass databases such as KeePassXC do not share code with KeePass. In addition, these do not implement a trigger system and are by consequence not vulnerable to this attack vector.

Recommended Actions

Since no patch will be made available, the CCB suggests to implement a mitigation via the enforced configuration feature. This feature is intended primarily for network administrators who want to enforce certain settings for users of a KeePass installation but can also be used by end users to harden their KeePass setup. Please take note this hardening only makes sense if this file can not be modified by the end user.

Settings in the enforced configuration file KeePass.config.enforced.xml take precedence over settings in global and local configuration files. Various options to harden your KeePass setup are documented in the GitHub Keepass-Enhanced-Security-Configuration repository listed in the reference section. It is for example possible to fully disable the trigger feature (XPath Configuration/Application/TriggerSystem).

Organizations might also consider moving to an alternative password manager with support for KeePass password vaults.


Vendor mailing list - https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/

Vendor knowledge base - https://keepass.info/help/kb/config_enf.html

Vulnerability disclosure - https://github.com/alt3kx/CVE-2023-24055_PoC

KeePass hardening guide - https://github.com/onSec-fr/Keepass-Enhanced-Security-Configuration