CVE-2023-35866 Overview
CVE-2023-35866 is an Incorrect Authorization vulnerability in KeePassXC password manager through version 2.7.5. The flaw allows a local attacker who gains access to an authenticated KeePassXC database session to modify critical security settings—including the master password and second-factor authentication configuration—without being required to re-authenticate. This means that once a database is unlocked, no additional verification is needed to make potentially destructive changes to the database's security posture.
It is important to note that the KeePassXC vendor has disputed the severity of this vulnerability, stating that "asking the user for their password prior to making any changes to the database settings adds no additional protection against a local attacker." This reflects a design philosophy debate about defense-in-depth for local attack scenarios.
Critical Impact
Local attackers with access to an unlocked KeePassXC session can modify master password and 2FA settings without re-authentication, potentially locking out legitimate users or weakening database security.
Affected Products
- KeePassXC through version 2.7.5
Discovery Timeline
- 2023-06-19 - CVE-2023-35866 published to NVD
- 2024-12-11 - Last updated in NVD database
Technical Details for CVE-2023-35866
Vulnerability Analysis
This vulnerability represents an Incorrect Authorization (CWE-863) issue in how KeePassXC handles changes to sensitive database security settings during an active session. The core problem lies in the application's failure to require re-authentication when modifying critical security parameters.
In a typical secure application design, changes to authentication mechanisms (such as master passwords or multi-factor authentication settings) should require the user to verify their identity before such modifications are applied. KeePassXC's design permits these changes to be made freely once the database has been unlocked, creating a window of opportunity for attackers who can access an unattended, authenticated session.
Root Cause
The root cause of CVE-2023-35866 is the absence of a re-authentication check in the database settings modification workflow. When a user or attacker attempts to change the master password or second-factor authentication settings, KeePassXC does not validate that the current user is authorized to make such changes by requiring them to enter the existing credentials. This design decision assumes that physical access to an unlocked session implies full authorization, which conflicts with defense-in-depth security principles.
Attack Vector
The attack requires local access to a machine where KeePassXC is running with an unlocked database. This scenario can occur when:
- A user steps away from their workstation without locking their session
- An attacker gains access through malware or remote desktop compromise
- A malicious insider has physical access to an unlocked workstation
Once access to the authenticated session is obtained, the attacker can navigate to the database settings and modify the master password or disable/change second-factor authentication without any additional security prompts. The attacker could then lock out the legitimate user or create a backdoor for future access.
The vulnerability exploitation does not require code execution—it is accomplished entirely through the application's user interface. For detailed technical discussions, see the GitHub Issue Discussion and the related Medium Article on CVE-2023-35866.
Detection Methods for CVE-2023-35866
Indicators of Compromise
- Unexpected changes to KeePassXC database master password or inability to access previously accessible databases
- Second-factor authentication settings (such as YubiKey) being disabled or modified without user action
- Database file modification timestamps changing during periods when the user was not actively using KeePassXC
- Security event logs showing KeePassXC database file access during unusual hours or from unexpected user sessions
Detection Strategies
- Monitor file system changes to KeePassXC database files (.kdbx) for unexpected modifications
- Implement endpoint detection rules that alert on KeePassXC process activity during screen-locked or idle periods
- Configure SentinelOne to detect suspicious process interactions with password manager applications
- Enable Windows event logging for file access auditing on password database storage locations
Monitoring Recommendations
- Implement endpoint monitoring to track when KeePassXC databases are modified and correlate with user activity
- Configure alerts for database setting changes that occur shortly after periods of user inactivity
- Review KeePassXC Documentation for recommended security configurations and monitoring practices
- Deploy SentinelOne's behavioral AI to detect anomalous access patterns to sensitive credential stores
How to Mitigate CVE-2023-35866
Immediate Actions Required
- Always lock KeePassXC databases when stepping away from your workstation, even briefly
- Configure automatic database locking after a short period of inactivity within KeePassXC settings
- Enable operating system screen lock with short timeout periods
- Restrict physical access to workstations where KeePassXC is used
- Consider implementing additional endpoint protection to detect unauthorized session access
Patch Information
The KeePassXC development team has disputed this vulnerability, considering the current behavior intentional based on their threat model for local attackers. As of the available information, no specific patch has been released to address this issue. Users should refer to the GitHub Issue Comment and GitHub Issue Discussion for ongoing discussions about this design decision.
Workarounds
- Configure KeePassXC to automatically lock the database after a brief idle period (e.g., 30-60 seconds)
- Enable "Lock database when session is locked" option in KeePassXC security settings
- Use hardware security keys with challenge-response that provide some protection against unauthorized changes
- Maintain offline backups of your KeePassXC database to recover from unauthorized modifications
# Configuration example: Enable automatic locking (via KeePassXC settings)
# Navigate to: Tools > Settings > Security
# - Set "Lock database after inactivity of" to 60 seconds
# - Enable "Lock databases when session is locked"
# - Enable "Lock databases after minimizing the window"
#
# For additional protection on Linux, configure screen locking:
gsettings set org.gnome.desktop.screensaver lock-enabled true
gsettings set org.gnome.desktop.screensaver lock-delay 0
gsettings set org.gnome.desktop.session idle-delay 60
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
