Passwordstate, the enterprise password manager from Click Studios, has a high-severity vulnerability patch. The issue could be exploited by an attacker who crafts a URL to reach Passwordstate’s Emergency Access page and move later into the admin console.
Click Studios describes the flaw as an authentication bypass affecting the core Passwordstate product, and said a CVE identifier has not yet been issued.
Passwordstate is used by about 29,000 customers and 370,000 security professionals. The product is designed to safeguard a company’s most privileged credentials and integrates with Active Directory for tasks such as user provisioning, password resets, event auditing, and remote session logins.
The vendor noted that the fix also patches a second vulnerability and urged customers to apply the update promptly to close the exposure. The bypass vulnerability was described as enabling access to the Passwordstate Administration section via a crafted link.
This advisory arrives after Passwordstate’s update mechanism previously suffered a breach in 2021, which led to compromised passwords and phishing incidents. Click Studios later urged affected customers to reset stored passwords and apply the security update.
Users are advised to upgrade to the latest Passwordstate release as soon as possible and monitor for further advisories as no CVE has yet been published.
