Security researchers discovered a critical zero-day vulnerability in a widely-used password manager application that could allow attackers to decrypt stored credentials and master passwords. The flaw has already been exploited in the wild.

The vulnerability, tracked as CVE-2026-3847, affects the desktop version of the application and stems from an improper implementation of its encryption protocol. An attacker with local access could extract passwords from memory.

The developer released an emergency patch within hours of disclosure and urged all users to update immediately. The company said the cloud and mobile versions are not affected.

Cybersecurity experts recommend that users change their master passwords after updating and enable two-factor authentication on all accounts. The incident highlights the risks of storing all credentials in a single application.