Update regarding the vulnerability state of the 11 password managers mentioned.
tl;dr: Only LogmeOnce is still fully vulnerable. 1Password released a first fix and blog post/statement (a second fix is on the way). LastPass won’t do more (if you’re still using LastPass…). Every other password managers mentioned released a fix and communicated with their users about it.
1Password
Vulnerable version: <8.11.7.2
Partially fixed: 8.11.7
Improvement: You can now choose to have 1Password ask before it autofills logins, credit cards, or other non-credential items in your browser. You can turn on “Ask before filling” for certain items under Settings > Security. Please see the accompanying security advisory.
Vulnerable methods: Parent Element, Overlay In addition to the clickjacking vulnerability, 1Password has confusing texting in the dialog box when filling in a credit card. There is generic text “item”. The user may not know that it is a credit card.
Upcoming fix: 8.11.7.2 (check the blog post for the details)
Bitwarden
Vulnerable version: 2025.7.0 **Fixed: 2025.8.0 Vulnerable methods: Parent Element
Fixed: v6.2531.1 (1.8.2025)
Security Overview: https://support.dashlane.com/hc/en-us/articles/28598967624722-Advisory-Passkey-Dialog-Clickjacking-Issue
Vulnerable version: 6.11.6 (latest) Vulnerable methods: Parent Element, Overlay
Fixed Method: Extension Element <6.11.4.2 (19.5.2025)
Release Notes: https://www.enpass.io/release-notes/enpass-browser-extensions/
Vulnerable version: 3.1.25 (latest) / Note from commenter: partially fixed, no other infos from Apple at this time
Methods: Overlay
Fixed Method: Extension Element <2.3.22 (12.8.2024)
Acknowledgements: August 2024 https://support.apple.com/en-us/122162
Fixed Methods:
Extension Element <17.1.1 (1.5.2025)
Overlay <17.2.0 (29.7.2025)
LastPass
Vulnerable version: 4.146.1 (latest)
Vulnerable methods: Parent Element, Overlay
Fixed: Credit Card, Personal Data <=4.125.0 (15.12.2023) / Note from commenter: partially fixed, won’t make further change.
LogMeOnce
Vulnerable version: 7.12.4 (latest)
Vulnerable methods: Extension Element, Parent Element, Overlay
Fixed: <5.13.24 (15.2.2024)
Fixed Methods:
Extension Element, Parent Element <1.9.5 (22.12.2023)
Extension Element <=1.31.0 (CRX)
Overlay <=1.31.4
Acknowledgements: https://proton.me/blog/protonmail-security-contributors
Fixed Methods:
Extension Element <9.5.6 (7.12.2023)
Parent Element, Overlay <9.7.6 (25.7.2024)
Release Notes: https://www.roboform.com/news-ext-chrome
Long story short: only web extensions are impacted. Desktop and mobile apps are safe. If you’re using a web browser extension, make sure to turn off autofill until a fix is released. If you’re using a Chromium web browser, you can also change the “Site access” setting of your password manager extension to “On click”.
If it wasn’t the case already (assuming that your threat model requires it):
2FA should be strictly separated from login credentials - when storing everything in one place, so the attacker could exploit vulnerable password managers and gain access to the account even with 2FA enabled.