All versions of KeePass, an open source password manager is vulnerable to a MitM attack because of the way it is designed to check for updates. KeePass uses HTTP to request update information and an attacker can modify the server response through ARP Spoofing or by providing a malicious wifi hotspot. The development team of the software is fully in the know of the flaw (CVE-2016-5119) but they currently have no intention of fixing it.
It is a simple flaw based on the fact that traffic to and from the app when checking for updates is not encrypted and as such can be interceted an manipulated.
According to helpnetsecurity, when Bogner who discovered the flaw notified the developers, Dominic Reichl, KeePass developer responded that “The vulnerability will not be fixed. The indirect costs of switching to HTTPS (like lost advertisement revenue) make it a inviable solution.”
Users can protect themselves by downloading new versions from KeePass directly and verifying all downloads.