Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update Gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds.
AnalysisAI
Authentication flow hijacking in Gematik Authenticator (versions <4.16.0) enables remote attackers to impersonate victim users through malicious deep links. This affects a critical healthcare identity provider used across Germany's digital health infrastructure. The vulnerability requires user interaction (clicking a crafted link) but requires no attacker authentication (CVSS AV:N/PR:N/UI:R), enabling complete account takeover with high confidentiality and integrity impact. EPSS data not available; no public exploit identified at time of analysis, though the attack vector's social engineering component makes weaponization straightforward once technical details become public.
Technical ContextAI
Gematik Authenticator serves as Germany's national authentication framework for electronic health records and digital health services, making this a supply-chain-level vulnerability affecting downstream healthcare applications. The CWE-940 (Improper Verification of Source of a Communication Channel) classification indicates the authenticator fails to properly validate the origin or integrity of authentication flow initiation requests. Deep link handlers (custom URL schemes like gematik-auth://) are common mobile attack surfaces where malicious applications or web pages can trigger app actions with attacker-controlled parameters. The scope change (S:C) in the CVSS vector confirms the vulnerability transcends the vulnerable component's security boundary, allowing attackers to impact resources beyond the authenticator app itself-specifically, the victim's authenticated sessions in dependent health applications. The CPE identifier cpe:2.3:a:gematik:app-authenticator confirms this affects the core Authenticator application across all platforms.
RemediationAI
Vendor-released patch: version 4.16.0 or greater. Organizations deploying Gematik Authenticator must immediately update to version 4.16.0, which addresses the deep link validation flaw. End users should update through standard mobile app stores (Google Play, Apple App Store). Enterprises integrating Gematik authentication flows should verify all production instances are running patched versions and conduct impact assessments for any authentication events occurring before remediation. The vendor advisory explicitly states no workarounds exist, making immediate patching the only effective mitigation. Deployment guidance and security advisory are available at https://github.com/gematik/app-Authenticator/security/advisories/GHSA-qg87-cf56-2rmr. Given the healthcare sector context, coordinate patching with compliance teams to address potential breach notification requirements if exploitation is suspected.
More in App Authenticator
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16817