Click Studios has released an urgent security update for its enterprise password manager, Passwordstate, to address a high-severity authentication bypass vulnerability. The flaw, found in the Emergency Access page, could allow attackers to gain administrative access to the system through a specially crafted URL. The company is strongly advising all users to upgrade to the latest version, Build 9972, as soon as possible to mitigate the risk.

Key Takeaways

• A critical authentication bypass vulnerability has been identified in Passwordstate's Emergency Access page.

• Attackers can exploit this flaw using a "carefully crafted URL" to gain unauthorized administrative access.

• Click Studios has released version 9.9 (Build 9972) to patch the vulnerability.

• Users are strongly advised to upgrade immediately.

• A temporary workaround involves restricting access to the Emergency Access page via IP address.

Vulnerability Details

The vulnerability, which is still awaiting a CVE identifier, allows an unauthenticated attacker to bypass security measures on Passwordstate's Emergency Access page. This page is designed as a last resort for administrators to access the system when other accounts are locked out. By manipulating a URL, an attacker could potentially gain full administrative privileges, although this action would trigger alerts to security administrators.

Impact and User Base

Passwordstate is a widely used enterprise-grade password management solution, employed by approximately 29,000 customers and 370,000 IT and security professionals globally. Its user base includes government agencies, financial institutions, and Fortune 500 companies, highlighting the significant potential impact of this vulnerability.

Click Studios' Response and Recommendations

Click Studios has acted swiftly to address the issue, releasing version 9.9 (Build 9972) on August 28, 2025. The update includes fixes for this authentication bypass and also enhances protections against clickjacking attacks targeting the software's browser extension. For users unable to upgrade immediately, Click Studios has provided a temporary workaround: configuring the "Emergency Access Allowed IP Address" in the system settings. However, the company emphasizes that this is a partial fix and a full upgrade is the recommended course of action.

This incident follows previous security concerns with Passwordstate, including a supply chain breach in 2021 and several other security flaws addressed in 2022 and 2024.

Sources

• Click Studios Patches Passwordstate Authentication Bypass Vulnerability in Emergency Access Page, The Hacker News.

• Passwordstate dev urges users to patch auth bypass vulnerability, BleepingComputer.

• Passwordstate patches auth bypass – via URL, The Stack.

• Passwordstate users should patch this auth bypass vulnerability immediately, company says, TechRadar.

• Enterprise password crew Passwordstate patches auth vuln • The Register, The Register.