KeePassXC OpenSSL Configuration Flaw Allows Local Privilege Escalation (CVE-2026-4158)
A local privilege escalation vulnerability in KeePassXC's OpenSSL configuration, tracked as CVE-2026-4158, allows attackers with low-privileged code execution to load arbitrary configuration and escalate to SYSTEM-level access.
A local privilege escalation vulnerability has been disclosed in KeePassXC, the popular open-source password manager. Tracked as CVE-2026-4158 and reported by researcher Xavier DANEST through the Zero Day Initiative (ZDI-26-215), the flaw resides in how KeePassXC handles OpenSSL configuration. An attacker who already has low-privileged code execution on a target system can exploit an uncontrolled search path element to load arbitrary configuration from an unsecured location, leading to privilege escalation and arbitrary code execution in the context of KeePassXC when the application is launched by a target user.
The vulnerability carries a CVSS score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), reflecting the relatively low complexity of exploitation once initial access is achieved. The core issue is that KeePassXC loads OpenSSL configuration from a location that is not adequately secured, allowing a local attacker to place a malicious configuration file that the application will trust. This can result in the attacker gaining the same privileges as the KeePassXC process, which may include access to encrypted password databases and other sensitive data stored in memory.
KeePassXC has released a security advisory (GHSA-4gr2-cr97-cr97-q9fx) and issued an update to correct the vulnerability. Users are strongly advised to update to the latest version of KeePassXC as soon as possible. The disclosure timeline shows that the vulnerability was reported to the vendor on March 3, 2026, and the coordinated public release of the advisory occurred on March 16, 2026, the same day the advisory was updated.
This vulnerability is particularly concerning because KeePassXC is widely used by security-conscious individuals and organizations to store and manage credentials. A successful exploit could allow an attacker to compromise the password manager's integrity, potentially leading to the theft of all stored credentials. The attack requires local access and the ability to execute low-privileged code, which could be achieved through malware, a compromised user account, or another initial access vector.
The flaw highlights the ongoing challenge of securing configuration loading paths in software, especially when dealing with third-party libraries like OpenSSL. Uncontrolled search path elements are a well-known class of vulnerability, but they continue to appear in applications due to the complexity of modern software dependencies and deployment environments. The KeePassXC team's prompt response in issuing a fix demonstrates the importance of coordinated disclosure and rapid patch deployment.
Users of KeePassXC should verify their current version and apply the security update immediately. Organizations that deploy KeePassXC across their endpoints should prioritize this patch as part of their vulnerability management process. The advisory and update are available on the KeePassXC GitHub security page.