T
Threats
Microsoft Authenticator Information Disclosure Vulnerability
Overview
CVE: CVE-2026-26123
Severity: Medium
Platform: Microsoft Authenticator
Incident Type: Access Token Exposure
Advisory Date: 15 May 2026
Microsoft Authenticator is affected by an information disclosure vulnerability that may expose one-time sign-in codes or authentication deep links to a malicious application on the same iOS or Android device.
This is not currently assessed as a critical remote compromise issue. Exploitation requires local conditions, including a malicious app installed on the device and user interaction when selecting a handler for a sign-in deep link. Organisations should still prioritise updates because Microsoft Authenticator is commonly used to protect business, cloud, email, and production access.
Affected Versions
Microsoft Authenticator for Android versions prior to 6.2511.7533
Microsoft Authenticator for iOS versions prior to 6.8.40
Vulnerability Breakdown
CVE-2026-26123 - Microsoft Authenticator Information Disclosure Vulnerability
Severity: Medium
CVSS: 5.5
Description: CVE-2026-26123 is an information disclosure vulnerability in Microsoft Authenticator. The issue relates to handling authentication deep links and may allow sensitive sign-in information to be disclosed locally.
Impact: A malicious app on the same device may receive a one-time sign-in code or authentication deep link. If successful, an attacker may use that information to complete a login flow as the affected user.
Conditions: The user must have a malicious application installed on the device and accidentally select that application as the handler for the sign-in deep link. User interaction is required.
Notes: This affects Microsoft Authenticator on iOS and Android. The risk is higher for organisations that rely on mobile MFA for access to corporate email, cloud applications, production systems, or BYOD environments.
Mitigation
Update Microsoft Authenticator to the latest version on all iOS and Android devices.
Where possible, enforce mobile device management controls to keep security applications current.
Instruct users to avoid installing unknown or untrusted mobile applications.
When scanning QR codes or selecting sign-in links, verify that Microsoft Authenticator or another trusted application is selected as the handler.
Monitor for unusual sign-in activity, MFA prompts, and impossible travel alerts.
Review conditional access policies and strengthen MFA controls for privileged users.
Use mobile threat defence or anti-malware controls where available.
Summary for IT Teams
Products: Microsoft Authenticator
Threat Level: Medium, CVSS 5.5
Action Required: Update Microsoft Authenticator on iOS and Android devices immediately. Reinforce user guidance around suspicious mobile apps and sign-in link handling. Review MFA and conditional access monitoring for high value accounts.
