Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network.
AnalysisAI
Microsoft Authenticator on Android and iOS leaks sensitive information to unauthenticated remote attackers through network-based exploitation requiring user interaction. The scope change (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component, suggesting potential cross-account or session data exposure. Microsoft has released a patch addressing this exposure. EPSS data not available, not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.
Technical ContextAI
Microsoft Authenticator is a multi-factor authentication (MFA) mobile application for Android and iOS that generates time-based one-time passwords (TOTP) and handles push-based authentication requests. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating the application improperly handles, transmits, or stores authentication tokens, secrets, or user data in a manner accessible to network-based attackers. The changed scope (S:C) in the CVSS vector suggests the vulnerability may allow attackers to access authentication material beyond the immediate app sandbox, potentially affecting other applications or services relying on the compromised credentials.
RemediationAI
Update Microsoft Authenticator to the latest version from Google Play Store (Android) or Apple App Store (iOS) as specified in Microsoft Security Response Center advisory CVE-2026-41615 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41615). Organizations should push mobile device management (MDM) policies to enforce automatic updates or mandate minimum app versions. As interim mitigation for environments unable to immediately patch, consider disabling network-based authentication features if the app supports offline TOTP-only mode, though this may break push notification approval workflows. Educate users on phishing risks and suspicious authentication requests, as the UI:R requirement means social engineering is required for exploitation. Review authentication logs for anomalous approval patterns during the vulnerable period.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30342
GHSA-ph7h-7q27-6hg2