Critical Local Privilege Escalation in KeePassXC (CVE‑2026‑4158) via Uncontrolled OpenSSL Config Path
What It Is – A newly disclosed vulnerability (CVE‑2026‑4158) in the open‑source password manager KeePassXC allows an attacker who can run low‑privileged code on a workstation to manipulate an insecure OpenSSL configuration file. This results in a local privilege escalation (LPE) that can grant the attacker full user‑level rights and execute arbitrary code in the context of the KeePassXC process.
Exploitability – The flaw is locally exploitable; an attacker must first obtain a foothold with limited privileges. No public exploit code has been released, but the CVSS 7.3 score (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) reflects a high impact once the initial foothold exists. Vendor‑issued patch is available.
Affected Products – KeePassXC (all versions prior to the March 2026 security update).
TPRM Impact – KeePassXC is widely deployed across enterprises for credential storage. A compromised instance can expose privileged passwords, API keys, or other secrets stored in the vault, creating a supply‑chain risk for downstream services and partners.
Recommended Actions –
- Patch immediately – Deploy the March 2026 KeePassXC update (see GitHub advisory GHSA‑4gr2‑cr97‑q9fx).
- Validate configuration – Ensure OpenSSL configuration files are stored in protected, access‑controlled directories.
- Enforce least‑privilege execution – Run KeePassXC under a dedicated, non‑admin user account and restrict write permissions on its installation folder.
- Monitor for anomalous processes – Deploy endpoint detection that flags unexpected launches of KeePassXC or OpenSSL with elevated privileges.
- Review stored secrets – Rotate any credentials that may have been accessed by compromised KeePassXC instances.