Description
Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.
Published: 2026-03-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The vulnerability identified in Microsoft Authenticator permits an unauthorized local attacker to disclose sensitive information. Key detail from vendor description: "Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally." This weakness aligns with CWE-939, indicating that the application exposes data through improper handling of authentication or input validation, potentially leading to partial or full disclosure of user data or operational details. The impact scoped to confidentiality loss without affecting integrity or availability.

Affected Systems

Affected products are Microsoft Authenticator for Android and Microsoft Authenticator for iOS, as indicated by the CNA vendor list. No specific version ranges were provided in the data; hence, all currently deployed instances of these apps are potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS base score of 5.5 reflects moderate severity, while the EPSS score of <1% indicates low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Because it requires local or device‑based access, the attack vector is inferred to be local. While the impact is limited to information disclosure, the low likelihood of exploitation combined with the potential damage to user privacy suggests that organizations should treat this as a moderate risk warranting prompt remediation.

Generated by OpenCVE AI on March 16, 2026 at 23:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install the latest Microsoft Authenticator updates for both Android and iOS.
  • If an update is not yet available, restrict device usage of the Authenticator app until a patch is released.
  • Contact Microsoft support for guidance on interim protection measures.

Generated by OpenCVE AI on March 16, 2026 at 23:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:microsoft:authenticator:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:authenticator:*:*:*:*:*:iphone_os:*:*

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft authenticator For Android
Vendors & Products Microsoft authenticator For Android

Tue, 10 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.
Title Microsoft Authenticator Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft authenticator
Microsoft authenticator For Ios
Weaknesses CWE-939
CPEs cpe:2.3:a:microsoft:authenticator:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:authenticator_for_ios:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft authenticator
Microsoft authenticator For Ios
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Authenticator Authenticator For Android Authenticator For Ios
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-03-27T22:33:18.159Z

Reserved: 2026-02-11T15:52:13.911Z

Link: CVE-2026-26123

cve-icon Vulnrichment

Updated: 2026-03-11T16:08:07.194Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T20:16:34.597

Modified: 2026-03-13T20:45:13.817

Link: CVE-2026-26123

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:33:58Z

Weaknesses