KeePass flaw allows retrieval of master password, PoC is public (CVE-2023-32784)


Important: This affects keepass for Windows PC (POSSIBLY Mac and Linux too). This means that:

  1. KeepassXC isn’t affected.

  2. Android versions like keepassDX aren’t affected.

  3. You usually need to have full physical access to the computer in question, or you need the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or a RAM dump of the entire system. This isn’t something that can easily extract a password remotely…

  4. The password database itself won’t reveal its password. For example, if I upload my encrypted password database file to a cloud server, and you manage to compromise said cloud server and download it, this exploit won’t help you extract the password from it.

The tldr is to use keepassXC.


Happy to hear the database file is safe because I definitely have some old ones floating around on some cloud storage providers. I’m going to play it safe and just assume all of those accounts are compromised. Thanks for posting this more people need to see this.

A fix is coming
The vulnerability affects the KeePass 2.X branch for Windows, and possibly for Linux and macOS. It has been fixed in the test versions of KeePass v2.54 – the official release is expected by July 2023.


The problem is the software used to open the database (keepass) not the database itself. Like Henry said a fix is coming but honestly just use keepassXC on PC or Mac (Windows/Linux/Mac). Mobile clients aren’t affected, I use keepassDX on mobile.

If you’re paranoid, you can independently encrypt the database file before uploading it to a cloud server. For example you can use s.s.e file encryptor or pgp symmetrical encryption to encrypt the password database file, and then upload it to your Google drive.


I made the switch a long time ago so that’s not an issue. I must have just misunderstood what you said originally I’m running very low on sleep lately so that’s likely why. I haven’t used “Keepass” in 5+ years so no worries there. Appreciate you two clearing it up though.

KeePass v2.54 is expected for “the beginning of June”.

1 Like

Nice to hear they’re rushing out a fix sooner