KeePass used to have more than one method for safeguarding the vault created., however it has shortened the list of these down to the master password as it was the most common one used anyway. The master password then becomes the decryption key to gain access to the passwords stored in the vault. The vulnerability allows someone to scrape the master password from memory and other files found on the system (like pagefile.sys and hiberfil.sys). You can also recover the password via a complete memory dump or just a process dump. It does not matter if the vault is locked, or the application is closed. The master password can still be pulled down. The flaw is in a part of the application where passwords are entered called SecureTextBoxEx. This password entry box leaves traces of the passwords typed in memory including the master password and potentially other passwords entered inside the vault.

There is good news here though, to grab the passwords an attacker must have already compromised the system. This does not mean that someone could not leverage an information stealing malware with commands to search for KeePass would not be able to grab your master password. So protection from general malware should block this type of attempt. Also, as it is dumping memory MDR/XDR products that monitor and prevent process dumps and access to both hiberfil and pagefile should be able to prevent this. KeePass is also aware of this flaw and anticipates having a fix for it. This fix was originally expected to roll out In July, but with the disclosure of the flaw this might roll out in the next two weeks.