Skip to main content

Microsoft Authenticator CVE-2026-41615

| EUVDEUVD-2026-30342 CRITICAL
Information Exposure (CWE-200)
2026-05-14 microsoft GHSA-ph7h-7q27-6hg2
9.6
CVSS 3.1 · NVD
Temporal: 8.3
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CIRCL (temporal)
8.3 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 17:45 vuln.today
CVE Published
May 14, 2026 - 17:00 nvd
CRITICAL 9.6

DescriptionCVE.org

Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network.

AnalysisAI

Microsoft Authenticator on Android and iOS leaks sensitive information to unauthenticated remote attackers through network-based exploitation requiring user interaction. The scope change (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component, suggesting potential cross-account or session data exposure. Microsoft has released a patch addressing this exposure. EPSS data not available, not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

Technical ContextAI

Microsoft Authenticator is a multi-factor authentication (MFA) mobile application for Android and iOS that generates time-based one-time passwords (TOTP) and handles push-based authentication requests. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating the application improperly handles, transmits, or stores authentication tokens, secrets, or user data in a manner accessible to network-based attackers. The changed scope (S:C) in the CVSS vector suggests the vulnerability may allow attackers to access authentication material beyond the immediate app sandbox, potentially affecting other applications or services relying on the compromised credentials.

RemediationAI

Update Microsoft Authenticator to the latest version from Google Play Store (Android) or Apple App Store (iOS) as specified in Microsoft Security Response Center advisory CVE-2026-41615 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41615). Organizations should push mobile device management (MDM) policies to enforce automatic updates or mandate minimum app versions. As interim mitigation for environments unable to immediately patch, consider disabling network-based authentication features if the app supports offline TOTP-only mode, though this may break push notification approval workflows. Educate users on phishing risks and suspicious authentication requests, as the UI:R requirement means social engineering is required for exploitation. Review authentication logs for anomalous approval patterns during the vulnerable period.

Share

CVE-2026-41615 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy