CVE-2026-4158 Overview
KeePassXC OpenSSL Configuration Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of KeePassXC. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the configuration of OpenSSL. The product loads configuration from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of KeePassXC when run by a target user on the system. This vulnerability was tracked as ZDI-CAN-29156.
Critical Impact
Local attackers with low-privilege access can escalate privileges and execute arbitrary code in the context of KeePassXC, potentially compromising password vaults and sensitive credentials stored within the application.
Affected Products
- KeePassXC (all versions prior to patch)
- Systems with KeePassXC installed where OpenSSL configuration paths are writable by low-privileged users
- Windows installations of KeePassXC are likely at highest risk due to OpenSSL search path behavior
Discovery Timeline
- 2026-04-11 - CVE-2026-4158 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-4158
Vulnerability Analysis
This vulnerability is classified as CWE-427: Uncontrolled Search Path Element. The flaw stems from KeePassXC's OpenSSL implementation loading configuration files from an unsecured location that may be writable by low-privileged users on the system.
When KeePassXC initializes its cryptographic functions through OpenSSL, the library searches for configuration files in a sequence of directories. If an attacker can place a malicious OpenSSL configuration file in one of these search paths before the legitimate configuration is found, they can hijack the execution flow.
The attack requires local access and the ability to execute low-privileged code, but successful exploitation leads to code execution with the privileges of the user running KeePassXC. Given that KeePassXC is a password manager, this represents a significant risk as attackers could potentially access stored credentials.
Root Cause
The root cause of this vulnerability lies in the insecure handling of the OpenSSL configuration search path within KeePassXC. The application does not properly validate or restrict the locations from which OpenSSL configuration files can be loaded. This allows a malicious configuration file placed in a user-writable directory to be loaded by the application, enabling arbitrary code execution through OpenSSL's engine loading capabilities.
Attack Vector
The attack vector is local, requiring the attacker to have initial low-privileged access to the target system. The exploitation process involves:
- The attacker gains low-privilege code execution on the target system
- The attacker identifies a writable directory within the OpenSSL configuration search path
- A malicious OpenSSL configuration file is crafted to load a malicious shared library or execute arbitrary code
- When a target user launches KeePassXC, the application loads the malicious configuration
- Arbitrary code executes in the context of the user running KeePassXC
The vulnerability requires user interaction (the target user must run KeePassXC) for successful exploitation. For detailed technical information, refer to the Zero Day Initiative Advisory ZDI-26-215 and the GitHub Security Advisory.
Detection Methods for CVE-2026-4158
Indicators of Compromise
- Unexpected openssl.cnf files appearing in user-writable directories within the OpenSSL search path
- Suspicious DLL or shared library files in directories commonly used for OpenSSL configuration
- Process execution anomalies where KeePassXC spawns unexpected child processes
- File system modifications to OpenSSL configuration directories by non-administrative users
Detection Strategies
- Monitor file system activity for creation or modification of OpenSSL configuration files (openssl.cnf) in non-standard locations
- Implement application whitelisting to detect unexpected code execution from KeePassXC processes
- Use endpoint detection and response (EDR) solutions to identify privilege escalation patterns originating from password manager applications
- Deploy file integrity monitoring on known OpenSSL configuration directories
Monitoring Recommendations
- Enable detailed process creation logging to capture command-line arguments and parent process relationships for KeePassXC
- Configure alerts for unusual file writes to directories in the system's library search paths
- Monitor for engine loading events within OpenSSL that reference non-standard file paths
- Implement behavioral analysis to detect anomalous KeePassXC process behavior indicative of code injection
How to Mitigate CVE-2026-4158
Immediate Actions Required
- Update KeePassXC to the latest patched version as soon as it becomes available
- Review and restrict write permissions on directories within the OpenSSL configuration search path
- Implement application control policies to prevent unauthorized code execution within the context of KeePassXC
- Audit system directories for unexpected OpenSSL configuration files or suspicious shared libraries
Patch Information
Security patches and remediation guidance are available through the official KeePassXC channels. Refer to the GitHub Security Advisory GHSA-4gr2-cr97-q9fx for detailed patch information and affected version details. Additional context is available in the Zero Day Initiative Advisory ZDI-26-215.
Workarounds
- Ensure that all directories in the OpenSSL configuration search path have restrictive permissions, allowing writes only by administrative users
- Set the OPENSSL_CONF environment variable explicitly to point to a secure, read-only configuration file location
- Run KeePassXC in an isolated environment or sandbox to limit the impact of potential exploitation
- Implement strict access controls on the system to minimize the risk of attackers gaining initial low-privilege access
# Example: Set explicit OpenSSL configuration path (Windows)
# setx OPENSSL_CONF "C:\Program Files\OpenSSL\openssl.cnf"
# Example: Set explicit OpenSSL configuration path (Linux/macOS)
export OPENSSL_CONF="/etc/ssl/openssl.cnf"
# Verify permissions on OpenSSL configuration directories
# Linux/macOS: Ensure only root can write
ls -la /etc/ssl/
# Windows: Verify ACLs on OpenSSL directories
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
