Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
Gematik Authenticator securely authenticates users for login to digital health applications. Starting in version 4.12.0 and prior to version 4.16.0, the Mac OS version of the Authenticator is vulnerable to remote code execution, triggered when victims open a malicious file. Update the gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds.
AnalysisAI
Remote code execution in gematik Authenticator (macOS) versions 4.12.0 through 4.15.x enables malicious file-triggered command injection when victims open crafted documents. This CWE-78 OS command injection flaw requires no authentication but depends on user interaction (CVSS:3.1/AV:L/AC:L/PR:N/UI:R). No public exploit identified at time of analysis, though EPSS data not available. The authenticator serves German digital health applications, making this a high-impact target for healthcare sector attacks.
Technical ContextAI
The vulnerability stems from CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS command injection. The gematik Authenticator is a security-critical component for German healthcare infrastructure, providing authentication services for digital health applications (ePA, E-Rezept systems). The affected CPE (cpe:2.3:a:gematik:app-authenticator) confirms this impacts the macOS client specifically. Command injection vulnerabilities occur when applications pass unsanitized user-supplied input to system shell commands, allowing attackers to execute arbitrary commands with the privileges of the vulnerable application. In this case, the attack vector is local (AV:L), meaning it requires the malicious file to be opened on the victim's system rather than remote network exploitation, but the PR:N (no privileges required) indicates any local user can trigger it without needing elevated permissions beforehand.
RemediationAI
Vendor-released patch: version 4.16.0. Users must upgrade gematik Authenticator to version 4.16.0 or later to eliminate this vulnerability. Download the patched version from official gematik distribution channels. The vendor advisory explicitly states no workarounds exist, making upgrading the only effective mitigation. Healthcare organizations should prioritize deployment to all macOS users with access to digital health systems, particularly those handling electronic patient records (ePA) or e-prescription (E-Rezept) services. Implement endpoint detection controls to identify and block suspicious file types if immediate patching faces deployment delays, though this provides only partial protection. Complete remediation guidance is available at https://github.com/gematik/app-Authenticator/security/advisories/GHSA-mjgm-7hwc-qqcr.
More in App Authenticator
View allSame weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16816