Skip to main content

App Authenticator CVE-2026-33875

| EUVDEUVD-2026-16817 CRITICAL
Improper Verification of Source of a Communication Channel (CWE-940)
2026-03-27 GitHub_M
9.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:48 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
4.16.0
EUVD ID Assigned
Mar 27, 2026 - 21:15 euvd
EUVD-2026-16817
Analysis Generated
Mar 27, 2026 - 21:15 vuln.today
CVE Published
Mar 27, 2026 - 20:25 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update Gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds.

AnalysisAI

Authentication flow hijacking in Gematik Authenticator (versions <4.16.0) enables remote attackers to impersonate victim users through malicious deep links. This affects a critical healthcare identity provider used across Germany's digital health infrastructure. The vulnerability requires user interaction (clicking a crafted link) but requires no attacker authentication (CVSS AV:N/PR:N/UI:R), enabling complete account takeover with high confidentiality and integrity impact. EPSS data not available; no public exploit identified at time of analysis, though the attack vector's social engineering component makes weaponization straightforward once technical details become public.

Technical ContextAI

Gematik Authenticator serves as Germany's national authentication framework for electronic health records and digital health services, making this a supply-chain-level vulnerability affecting downstream healthcare applications. The CWE-940 (Improper Verification of Source of a Communication Channel) classification indicates the authenticator fails to properly validate the origin or integrity of authentication flow initiation requests. Deep link handlers (custom URL schemes like gematik-auth://) are common mobile attack surfaces where malicious applications or web pages can trigger app actions with attacker-controlled parameters. The scope change (S:C) in the CVSS vector confirms the vulnerability transcends the vulnerable component's security boundary, allowing attackers to impact resources beyond the authenticator app itself-specifically, the victim's authenticated sessions in dependent health applications. The CPE identifier cpe:2.3:a:gematik:app-authenticator confirms this affects the core Authenticator application across all platforms.

RemediationAI

Vendor-released patch: version 4.16.0 or greater. Organizations deploying Gematik Authenticator must immediately update to version 4.16.0, which addresses the deep link validation flaw. End users should update through standard mobile app stores (Google Play, Apple App Store). Enterprises integrating Gematik authentication flows should verify all production instances are running patched versions and conduct impact assessments for any authentication events occurring before remediation. The vendor advisory explicitly states no workarounds exist, making immediate patching the only effective mitigation. Deployment guidance and security advisory are available at https://github.com/gematik/app-Authenticator/security/advisories/GHSA-qg87-cf56-2rmr. Given the healthcare sector context, coordinate patching with compliance teams to address potential breach notification requirements if exploitation is suspected.

Share

CVE-2026-33875 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy