In August 2025, Click Studios released a security update for Passwordstate, addressing a critical authentication bypass vulnerability on the Emergency Access page, fixed in version 9.9 (Build 9972).

This update comes over four years after a 2021 supply chain breach that compromised the software's update mechanism, raising ongoing concerns about its security integrity.

Passwordstate, used by approximately 29,000 clients including global enterprises, government agencies, and Fortune 500 companies, remains a significant target for cyber threats.

The vulnerability involved a potential authentication bypass through a carefully crafted URL, which could be exploited to access sensitive data.

Security researcher Marek Tóth uncovered that a single click on a malicious website could allow attackers to steal data via vulnerable password manager browser extensions, including credit card information, personal data, login credentials, and TOTP.

The latest update also enhances protections against clickjacking attacks on its browser extension, likely in response to Tóth's findings on DOM-based extension clickjacking.