What is the Passwordstate authentication bypass vulnerability?

Click Studios has reported an authentication bypass vulnerability affecting its Passwordstate enterprise password management platform. The vulnerability allows attackers to use a crafted URL against the Emergency Access page to bypass authentication and gain unauthorized access to the Passwordstate Administration section.

Has this Passwordstate vulnerability been assigned a CVE number?

The vulnerability is currently pending CVE assignment. While Click Studios has reported the issue, it has not yet received an official CVE identifier from the CVE numbering authorities.

When was the Passwordstate vulnerability patched?

The flaw was patched in Passwordstate 9.9 Build 9972, which was released on August 28, 2025. Click Studios strongly recommends all customers upgrade to this build as soon as possible.

How does the Passwordstate authentication bypass work?

The vulnerability allows attackers to use a crafted URL specifically targeting the Emergency Access page to bypass normal authentication mechanisms and gain unauthorized access to the Passwordstate Administration section. The exact technical details of the crafted URL have not been disclosed to prevent exploitation.

What versions of Passwordstate are affected by this vulnerability?

The vulnerability affects Passwordstate versions prior to 9.9 Build 9972. All organizations running earlier versions should upgrade to Build 9972 or later to address this security issue.

Is the Emergency Access IP restriction a permanent fix for the Passwordstate vulnerability?

No, the Emergency Access Allowed IP Address restrictions are only a short-term partial fix. Click Studios emphasizes that this workaround should not be considered a permanent solution, and all customers should upgrade to Passwordstate 9.9 Build 9972 as soon as possible for complete protection.

Advisory

Click Studios reports authentication bypass vulnerability in their Passwordstate password manager

Q: What is Passwordstate and what does it do?

Passwordstate is a password vault that helps organizations store, organize, and control access to passwords, API keys, certificates, and various other types of credentials via a centralized web interface. It's an enterprise password management platform used by organizations to securely manage their credentials.

published: Aug. 30, 2025

Take action: If you use Passwordstate password management, upgrade immediately to Build 9972. Until you can upgrade, restrict Emergency Access to specific IP addresses in System Settings

Learn More

Click Studios is reporting an authentication bypass vulnerability affecting its Passwordstate enterprise password management platform.

Passwordstate is a password vault that helps organizations to store, organize, and control access to passwords, API keys, certificates, and various other types of credentials via a centralized web interface.

The vulnerability, which is pending CVE assignment, allows attackers to use a crafted URL against the Emergency Access page to bypass authentication and gain unauthorized access to the Passwordstate Administration section.

The flaw was patched in Passwordstate 9.9 Build 9972, released on August 28, 2025

For organizations unable to upgrade immediately, Click Studio is recommending administrators set the Emergency Access Allowed IP Address restrictions under System Settings to limit access by IP ranges. This is to be considered as only a short-term partial fix. The company strongly recommends all customers upgrade to Build 9972 as soon as possible.

Click Studios reports authentication bypass vulnerability in their Passwordstate password manager

Read More
SAP March 2026 Updates Patch Critical FS-QUO, NetWeaver …
Trimble and CISA report active exploitation of their …
Critical Ni8mare flaw in n8n allows unauthenticated remote …
Apache InLong project reports critical flaw in its …
Multiple flaws found in AI systems, at least …