{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26123", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T15:52:13.911Z", "datePublished": "2026-03-10T19:01:31.904Z", "dateUpdated": "2026-04-14T16:36:41.358Z"}, "containers": {"cna": {"title": "Microsoft Authenticator Information Disclosure Vulnerability", "datePublic": "2026-03-10T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:authenticator:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.2511.7533"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:authenticator_for_ios:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.8.40"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Authenticator for Android", "versions": [{"version": "6.0.0", "lessThan": "6.2511.7533", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Authenticator for IOS", "versions": [{"version": "6.0.0", "lessThan": "6.8.40", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-939: Improper Authorization in Handler for Custom URL Scheme", "lang": "en-US", "type": "CWE", "cweId": "CWE-939"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:41.358Z"}, "references": [{"name": "Microsoft Authenticator Information Disclosure Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26123"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T16:08:00.119946Z", "id": "CVE-2026-26123", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T16:08:10.063Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26123", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T16:08:00.119946Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T16:08:07.194Z"}}], "cna": {"title": "Microsoft Authenticator Information Disclosure Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Authenticator for Android", "versions": [{"status": "affected", "version": "6.0.0", "lessThan": "6.2511.7533", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": "Microsoft Authenticator for IOS", "versions": [{"status": "affected", "version": "6.0.0", "lessThan": "6.8.40", "versionType": "custom"}]}], "datePublic": "2026-03-10T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26123", "name": "Microsoft Authenticator Information Disclosure Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-939", "description": "CWE-939: Improper Authorization in Handler for Custom URL Scheme"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:authenticator:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.2511.7533", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:microsoft:authenticator_for_ios:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8.40", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:41.358Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26123", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:36:41.358Z", "dateReserved": "2026-02-11T15:52:13.911Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-10T19:01:31.904Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:authenticator:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "AAB20FDD-A48D-4866-AA0B-29575692D3DC", "versionEndExcluding": "6.8.40", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:authenticator:*:*:*:*:*:android:*:*", "matchCriteriaId": "D74666A6-9C3E-4F41-879E-2A9EE7D85671", "versionEndExcluding": "6.2511.7533", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally."}, {"lang": "es", "value": "Cwe no est\u00e1 en las categor\u00edas rca en Microsoft Authenticator permite a un atacante no autorizado divulgar informaci\u00f3n localmente."}], "id": "CVE-2026-26123", "lastModified": "2026-03-13T20:45:13.817", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-10T20:16:34.597", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26123"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-939"}], "source": "secure@microsoft.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}]}, "product": "authenticator", "vendor": "microsoft"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,6.2511.7533)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "authenticator_for_android", "vendor": "microsoft"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,6.8.40)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Microsoft Authenticator for IOS", "source": "cna", "vendor": "Microsoft"}, "product": "authenticator_for_ios", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-03-16T23:13:49.750118+00:00", "value": {"mitigation_remediation": ["Check for and install the latest Microsoft Authenticator updates for both Android and iOS.", "If an update is not yet available, restrict device usage of the Authenticator app until a patch is released.", "Contact Microsoft support for guidance on interim protection measures."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Affected products are Microsoft Authenticator for Android and Microsoft Authenticator for iOS, as indicated by the CNA vendor list. No specific version ranges were provided in the data; hence, all currently deployed instances of these apps are potentially vulnerable until a patch is applied.", "description_and_impact": "The vulnerability identified in Microsoft Authenticator permits an unauthorized local attacker to disclose sensitive information. Key detail from vendor description: \"Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.\" This weakness aligns with CWE-939, indicating that the application exposes data through improper handling of authentication or input validation, potentially leading to partial or full disclosure of user data or operational details. The impact scoped to confidentiality loss without affecting integrity or availability.", "risk_and_exploitability": "The CVSS base score of 5.5 reflects moderate severity, while the EPSS score of <1% indicates low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Because it requires local or device\u2011based access, the attack vector is inferred to be local. While the impact is limited to information disclosure, the low likelihood of exploitation combined with the potential damage to user privacy suggests that organizations should treat this as a moderate risk warranting prompt remediation."}}}}, "created": "2026-03-11T11:43:28.052840+00:00", "updated": "2026-03-20T14:33:58.449590+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$authenticator", "microsoft$PRODUCT$authenticator_for_android", "microsoft$PRODUCT$authenticator_for_ios"]}