(Image: heise medien). Microsoft warns of a security vulnerability in Authenticator. Attackers can intercept sign-in tokens and thus gain access. A critical security vulnerability in Microsoft’s Authenticator can be exploited by attackers to obtain sign-in tokens. This enables unauthorized access to resources. Updated apps are now available.
Microsoft’s vulnerability entry [1] discusses the issue in general terms. Sensitive information can reach unauthorized parties because Microsoft Authenticator discloses information to attackers over the network. In the FAQ, Microsoft explains that the vulnerability can expose the sign-in token for users’ work accounts. This gives unauthorized parties access to data and services that the user account is authorized to access, potentially including sensitive corporate information.
To exploit the vulnerability, attackers must get a victim to interact with a seemingly legitimate malicious request. Once users confirm the request, attackers can cause the app to request access tokens on behalf of the users and deliver them to a service under the attackers’ control. Affected parties receive no clear information about what access was granted (CVE-2026-41615, CVSS 9.6, risk “critical”). However, NIST in the NVD list entry [2] arrives at a CVSS of 7.4, yielding only a “high” risk rating.
Microsoft Authenticator: Updates Available
Updated versions of Microsoft’s Authenticator are available in the respective app stores. On Android, version 6.2605.2973 and later resolves the issue; on iOS, software version 6.8.47 and later. Users who have enabled automatic app updates on their mobile operating system will receive the update automatically. Those who have disabled it must open the Google Play Store or iOS App Store and download and install the updated apps there.
Microsoft [3] further states that the vulnerability has not yet been exploited. There is also no public exploit available to date. Nevertheless, Microsoft Authenticator users should ensure they are running the current version. The Authenticator displays the current version in the app menu under “Help,” further down under “About” – “Application Version”.
(dmk [5]). URL of this article:
https://www.heise.de/-11296717
Links in this article:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41615
https://nvd.nist.gov/vuln/detail/CVE-2026-41615
https://www.heise.de/thema/Microsoft
heise security PRO
mailto:dmk@heise.de
Copyright © 2026 Heise Medien
heise security News