Platform
openssl
Component
openssl
Fixed in
2.7.12
CVE-2026-4158 represents a privilege escalation vulnerability affecting OpenSSL configurations within KeePassXC. This flaw allows local attackers to gain elevated privileges by exploiting an unsecured configuration path. The vulnerability impacts KeePassXC versions 2.7.11–2.7.11, and a fix is expected to be released by the vendor.
The primary impact of CVE-2026-4158 is the potential for local privilege escalation. An attacker who can already execute low-privileged code on a system running KeePassXC can exploit this vulnerability to gain higher-level access. This could allow them to read sensitive data stored within KeePassXC databases, modify system configurations, or even execute arbitrary code with the privileges of the KeePassXC process. The unsecured OpenSSL configuration path allows attackers to inject malicious configuration files, effectively hijacking the OpenSSL library's behavior within KeePassXC. This is a significant risk, especially in environments where KeePassXC is used to manage sensitive credentials.
CVE-2026-4158 was publicly disclosed on 2026-04-11. While no public proof-of-concept (PoC) code is currently available, the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is developed. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4158 is to upgrade KeePassXC to a version that incorporates the security fix. Until a patched version is available, consider restricting access to the OpenSSL configuration directory to prevent unauthorized modification. Implement strict file permissions and access controls to limit who can write to the configuration directory. Monitoring system logs for unusual file modifications or access attempts to the OpenSSL configuration directory can also help detect potential exploitation. After upgrade, confirm by verifying the OpenSSL version is updated and re-testing the configuration path access.
Update KeePassXC to a version that uses a patched version of OpenSSL. Check the KeePassXC documentation for specific instructions on how to update the software. Ensure that the OpenSSL configuration does not allow reading configuration files from insecure locations.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4158 is a HIGH severity vulnerability in OpenSSL affecting KeePassXC versions 2.7.11–2.7.11. It allows local attackers to escalate privileges by exploiting an unsecured configuration path.
If you are using KeePassXC version 2.7.11, you are potentially affected by this vulnerability. Check your version and upgrade as soon as a patch is available.
The recommended fix is to upgrade KeePassXC to a patched version that addresses the vulnerability. Until a patch is available, restrict access to the OpenSSL configuration directory.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature suggests it could be exploited once a PoC is developed.
Refer to the official KeePassXC website and security advisories for updates and information regarding CVE-2026-4158.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.