On January 21, 2023 a vulnerability regarding KeePass was added to the National Vulnerability Database (NVD) - CVE-2023-24055. I personally consider this vulnerability (feature) in KeePass a serious security risk.

In short: An attacker when he/she has gained access to your system, can change the KeePass configuration file to allow the tool to automatically export all data stored in KeePass upon login into the KeePass tool. Yourself (Keepass) will trigger the export by the login.

At this moment is does not seem the author of the tool is going to change this feature. Therefore I have chosen to write a small program to mitigate the risk.

I believe disabling the KeePass trigger system will prevent this option to be used:

So you need to make sure you disable the "trigger system". Remember, only changing this setting is not sufficient, you need to check if it has not been tampered with. So the program "KeePass Secure Start" will check if the "Trigger System" is still disabled. This will appear in the "KeePass.config.xml" like this:

<TriggerSystem>
    <Enabled>false</Enabled>
    <Triggers />
</TriggerSystem>

The program can be placed in the same directory as the KeePass executable. When starting "KeePassSecureStart.exe" it will validate the configuration file "%APPDATA%\KeePass\KeePass.config.xml". When all is fine, it will allow you to start KeePass. All parameters will be passed through. You can change your file association to start "KeePassSecureStart.exe" instead of "KeePass.exe" for a flawless integration.

Files can be downloaded here:

• Source Code (application is written in Lazarus)
• KeePass Secure Start (executable only)

The program assumes you have used the installer for installing KeePass on your PC.