Skip to main content

App Authenticator CVE-2026-33874

| EUVDEUVD-2026-16816 HIGH
OS Command Injection (CWE-78)
2026-03-27 GitHub_M
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 21, 2026 - 19:22 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:12 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
4.16.0
EUVD ID Assigned
Mar 27, 2026 - 21:15 euvd
EUVD-2026-16816
Analysis Generated
Mar 27, 2026 - 21:15 vuln.today
CVE Published
Mar 27, 2026 - 20:23 nvd
HIGH 7.8

DescriptionGitHub Advisory

Gematik Authenticator securely authenticates users for login to digital health applications. Starting in version 4.12.0 and prior to version 4.16.0, the Mac OS version of the Authenticator is vulnerable to remote code execution, triggered when victims open a malicious file. Update the gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds.

AnalysisAI

Remote code execution in gematik Authenticator (macOS) versions 4.12.0 through 4.15.x enables malicious file-triggered command injection when victims open crafted documents. This CWE-78 OS command injection flaw requires no authentication but depends on user interaction (CVSS:3.1/AV:L/AC:L/PR:N/UI:R). No public exploit identified at time of analysis, though EPSS data not available. The authenticator serves German digital health applications, making this a high-impact target for healthcare sector attacks.

Technical ContextAI

The vulnerability stems from CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS command injection. The gematik Authenticator is a security-critical component for German healthcare infrastructure, providing authentication services for digital health applications (ePA, E-Rezept systems). The affected CPE (cpe:2.3:a:gematik:app-authenticator) confirms this impacts the macOS client specifically. Command injection vulnerabilities occur when applications pass unsanitized user-supplied input to system shell commands, allowing attackers to execute arbitrary commands with the privileges of the vulnerable application. In this case, the attack vector is local (AV:L), meaning it requires the malicious file to be opened on the victim's system rather than remote network exploitation, but the PR:N (no privileges required) indicates any local user can trigger it without needing elevated permissions beforehand.

RemediationAI

Vendor-released patch: version 4.16.0. Users must upgrade gematik Authenticator to version 4.16.0 or later to eliminate this vulnerability. Download the patched version from official gematik distribution channels. The vendor advisory explicitly states no workarounds exist, making upgrading the only effective mitigation. Healthcare organizations should prioritize deployment to all macOS users with access to digital health systems, particularly those handling electronic patient records (ePA) or e-prescription (E-Rezept) services. Implement endpoint detection controls to identify and block suspicious file types if immediate patching faces deployment delays, though this provides only partial protection. Complete remediation guidance is available at https://github.com/gematik/app-Authenticator/security/advisories/GHSA-mjgm-7hwc-qqcr.

Share

CVE-2026-33874 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy