diff --git a/backend/src/services/contract.service.ts b/backend/src/services/contract.service.ts
index 7391b956..f25dcbf0 100644
--- a/backend/src/services/contract.service.ts
+++ b/backend/src/services/contract.service.ts
@@ -177,6 +177,13 @@ export async function getContractById(id: number, decryptPassword = false) {
     }
   }
 
+  // Virtuelles Bool-Flag, damit das Frontend "PW gesetzt?" weiß, ohne dass
+  // der verschlüsselte Blob in die Response leakt (sanitizeContract strippt
+  // portalPasswordEncrypted bewusst). Pentest Runde 15 – sensitive Feld
+  // raus aus /contracts/:id; UI nutzt jetzt `hasPortalPassword`.
+  (contract as Record<string, unknown>).hasPortalPassword =
+    !!contract.portalPasswordEncrypted;
+
   return contract;
 }
 
diff --git a/frontend/src/pages/contracts/ContractDetail.tsx b/frontend/src/pages/contracts/ContractDetail.tsx
index 16f42128..35d48630 100644
--- a/frontend/src/pages/contracts/ContractDetail.tsx
+++ b/frontend/src/pages/contracts/ContractDetail.tsx
@@ -2399,7 +2399,7 @@ export default function ContractDetail() {
       </div>
 
       {/* Portal Credentials */}
-      {(c.portalUsername || c.stressfreiEmail || c.portalPasswordEncrypted) && (
+      {(c.portalUsername || c.stressfreiEmail || c.hasPortalPassword) && (
         <Card className="mb-6" title="Zugangsdaten">
           <dl className="grid grid-cols-2 gap-4">
             {(c.portalUsername || c.stressfreiEmail) && (
@@ -2416,7 +2416,7 @@ export default function ContractDetail() {
                 </dd>
               </div>
             )}
-            {c.portalPasswordEncrypted && (
+            {c.hasPortalPassword && (
               <div>
                 <dt className="text-sm text-gray-500">Passwort</dt>
                 <dd className="flex items-center gap-2">
@@ -2435,7 +2435,7 @@ export default function ContractDetail() {
           </dl>
 
           {/* Auto-Login Button */}
-          {c.provider?.portalUrl && (c.portalUsername || c.stressfreiEmail) && c.portalPasswordEncrypted && (
+          {c.provider?.portalUrl && (c.portalUsername || c.stressfreiEmail) && c.hasPortalPassword && (
             <div className="mt-4 pt-4 border-t">
               <Button
                 onClick={handleAutoLogin}
diff --git a/frontend/src/types/index.ts b/frontend/src/types/index.ts
index d2a50ac4..4900b395 100644
--- a/frontend/src/types/index.ts
+++ b/frontend/src/types/index.ts
@@ -429,7 +429,10 @@ export interface Contract {
   contractDuration?: ContractDuration;
   commission?: number;
   portalUsername?: string;
-  portalPasswordEncrypted?: string;
+  /** Backend liefert nur ein Bool-Flag – der verschlüsselte Wert selbst
+   *  bleibt server-seitig (sanitizeContract strippt `portalPasswordEncrypted`).
+   *  Entschlüsselter Wert kommt über `GET /contracts/:id/password`. */
+  hasPortalPassword?: boolean;
   notes?: string;
   // Kündigungsdokumente
   cancellationLetterPath?: string;