Authenticator leak patched
Microsoft patched a vulnerability in Microsoft Authenticator that could expose one‑time login codes to other apps on the same device. The flaw underscores persistent cross‑app data leakage risks on mobile platforms and affects both Android and iOS installations until users update.
The issue is tracked as CVE‑2026‑26123 (published to Microsoft’s feed on March 10, 2026) and was scored CVSS v3.1 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) by NVD. (nvd.nist.gov) NVD and Microsoft classify the root cause as CWE‑939 — improper authorization in a custom URL‑scheme handler — where a malicious app that registers as the handler for an authentication deep link can receive one‑time codes or sign‑in links during the hand‑off. (nvd.nist.gov) NVD’s CPE entries list vulnerable Authenticator builds up to (excluding) iOS 6.8.40 and Android 6.2511.7533, the fix was issued as part of Microsoft’s March 2026 Patch Tuesday updates, and public trackers reported no confirmed active exploitation at disclosure. (nvd.nist.gov)
