KeePassXC Vulnerability CVE-2023-35866 allows attackers to change the master password and second-factor authentication settings

KeePassXC, a modern and secure password manager, is the bulwark of choice for many who demand the utmost security in managing their personal data. However, every fortress has its weakness. A recent vulnerability was discovered in KeePassXC: CVE-2023-35866.

Before we examine the fault lines, let’s understand the fortress itself. KeePassXC is an open-source password manager compatible with Windows, macOS, and Linux systems. It acts as a repository for various types of sensitive information, including usernames, passwords, URLs, attachments, and even personal notes.

Stored in an encrypted, offline file, your data can reside anywhere—from a local folder on your desktop to cloud-based solutions. The platform provides user-defined titles, customizable icons, and a system of groups for efficient management. An integrated search function allows advanced pattern searches, ensuring swift access to any stored entry. Additionally, KeePassXC features a flexible password generator that can conjure up a robust combination of characters or easy-to-remember passphrases.

The core of CVE-2023-35866 lies in disturbing ease of access. A local attacker, within an authenticated KeePassXC Database session, can alter database security settings. This includes changing the master password and second-factor authentication settings—without the necessity of authenticating these changes.

Astonishingly, exporting the database or altering the master password requires no confirmation either. An attacker, having gained access to the system locally or remotely, could export the entire database or change the password swiftly, without encountering any barriers of protection.

Unlike other password managers requiring the master password for exporting data or altering it, KeePassXC, up to version 2.7.5, remains an exception, presenting an alarming lapse in security.

Awareness of a vulnerability is the first step towards its mitigation. Recognizing this, the dedicated team behind KeePassXC has assured that the issue will be addressed in the upcoming KeePassXC version 2.8.