This “vulnerability” is controversial from the perspective of KeePass and other information security practitioners. Both parties point out that a user’s failure to secure write access to the KeePass configuration file isn’t an inherent vulnerability with KeePass itself. Furthermore, if a threat actor is able to access a properly protected configuration file, the potential to steal the contents of the victims KeePass vault is nearly endless. For example, a threat actor could replace the KeePass binary with an infected version, install a keylogging program to intercept the master password, read the contents of a decrypted database from memory, and more. However, the addition of the user requests listed above could help mitigate unprivileged attacks against the KeePass vault in the event that a user improperly secured their configuration file.
https://www.bleepingcomputer.com/news/security/keepass-disputes-vulnerability-allowing-stealthy-password-theft/
