Mar 2026: Microsoft Authenticator Information Disclosure Vulnerability
CVE-2026-26123 Published on March 10, 2026
Microsoft Authenticator Information Disclosure Vulnerability
Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.
Weakness Type
Improper Authorization in Handler for Custom URL Scheme
The software uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme. Mobile platforms and other architectures allow the use of custom URL schemes to facilitate communication between applications. In the case of iOS, this is the only method to do inter-application communication. The implementation is at the developer's discretion which may open security flaws in the application. An example could be potentially dangerous functionality such as modifying files through a custom URL scheme.
Products Associated with CVE-2026-26123
stack.watch emails you whenever new vulnerabilities are published in Microsoft Authenticator or Microsoft Authenticator For Ios. Just hit a watch button to start following.
Affected Versions
Microsoft Authenticator for Android:- Version 6.0.0 and below 6.2511.7533 is affected.
- Version 6.0.0 and below 6.8.40 is affected.