Microsoft Authenticator Flaw Could Leak Login Codes

A newly disclosed vulnerability in Microsoft Authenticator could expose one time sign in codes or authentication deep links to a malicious app installed on the same mobile device. The issue, tracked as CVE-2026-26123, affects both Android and iOS and was published on March 10, 2026. Public CVE data rates the flaw as Medium severity with a CVSS 3.1 score of 5.5, and classifies it as a local attack that requires user interaction. The weakness is tied to CWE-939, which covers improper authorization in handlers for custom URL schemes.

Microsoft Authenticator is widely used to generate time based one time passcodes and process sign in links or QR based logins for Microsoft and other accounts. Deep links are specially structured URIs that open an app directly and trigger a specific action, such as completing a login. Because the app is commonly used on personal phones, including BYOD devices connected to business services, the impact could extend beyond consumer accounts into corporate environments.

CVE Snapshot

Item	Details
CVE	CVE-2026-26123
Product	Microsoft Authenticator
Platforms	Android and iOS
Severity	Medium
CVSS	5.5
Attack Vector	Local
User Interaction	Required
Weakness	CWE-939
Main Risk	Disclosure of sign in data or one time codes

The available advisories show that exploitation is not automatic. A victim would first need to install a rogue app and then accidentally allow that app to handle a sign in deep link. If that happens, the malicious app may receive the one time code or sign in information and use it to complete authentication as the victim. From there, an attacker could reach email, files, cloud apps, or even production systems tied to the compromised account. Malwarebytes also warns that attackers may pivot to additional accounts protected by codes delivered through the same device.

What Users Should Do

The fix is already included in current releases. According to the CVE record, affected versions include Microsoft Authenticator for Android 6.0.0 through before 6.2511.7533 and Microsoft Authenticator for iOS 6.0.0 through before 6.8.40. Users should update the app immediately through Google Play or the App Store. If updating is not possible right away, avoid newly installed apps that ask to handle authentication links, verify that Microsoft Authenticator is the selected handler for login prompts, and use trusted anti malware protection on mobile devices.

Prevention Step	Why It Matters
Update Microsoft Authenticator immediately	Installs the vendor fix for CVE-2026-26123
Avoid unknown or newly installed apps	Reduces the chance of a rogue app intercepting sign in data
Check which app opens sign in links	Helps ensure Microsoft Authenticator handles the authentication flow
Be careful with QR based logins	Prevents accidental redirection to a malicious handler
Use mobile security protection	Can help flag suspicious apps on the device
Review installed apps regularly	Helps remove software that could abuse authentication links

CVE-2025-21298 : Windows OLE Remote Code Execution Vulnerability

February 11, 2025

In "Cyber security"

CVE-2025-24071_PoC : A Tool For Demonstrating NTLM Hash Leak Vulnerability

March 20, 2025

In "Cyber security"

CVE-2023-43770 POC – Unveiling XSS Vulnerability In Roundcube

October 9, 2023

In "Cyber security"

0xSnow

0xSnow is a cybersecurity researcher with a focus on both offensive and defensive security. Working with ethical hacking, threat detection, Linux tools, and adversary simulation, 0xSnow explores vulnerabilities, attack chains, and mitigation strategies. Passionate about OSINT, malware analysis, and red/blue team tactics, 0xSnow shares detailed research, technical walkthroughs, and security tool insights to support the infosec community.