CVE-2026-33875 - Vulnerability Details

- Authenticator Vulnerable to Authentication Flow Hijack

Description

Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update Gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds.

Published: 2026-03-27

Score: 9.3 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Gematik Authenticator versions earlier than 4.16.0 allow an attacker to hijack the authentication flow through a malicious deep link, enabling the attacker to log in as the victim user. This leads to identity impersonation and unauthorized access to digital health applications, compromising user confidentiality and integrity. The weakness is identified as CWE‑940.

Affected Systems

Gematik Authenticator (app-Authenticator) for all versions prior to 4.16.0. The vulnerability affects the authentication process used by digital health applications that rely on this authenticator.

Risk and Exploitability

The flaw carries a CVSS score of 9.3, indicating high severity, but the EPSS score is below 1% and it is not listed in CISA's KEV catalog, suggesting exploitation is unlikely in the near term. The attack vector appears to require the victim to click a malicious deep link, so it is a user‑interaction attack that can be staged through phishing. Because of the high impact and the low probability but potential for exploitation, organization should address it promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

gematik

app-Authenticator

affected

Version	Status	Constraints
`< 4.16.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:gematik:authenticator:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Gematik

App-authenticator

100%

Version	Status	Scheme	Platform
`[0,4.16.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Gematik Authenticator to version 4.16.0 or later as the official fix.
Verify that the updated authenticator is correctly deployed and configured in all digital health applications.
Monitor authentication logs for suspicious or repeated login attempts that may indicate exploitation.
Educate users to be cautious of unexpected deep links or messages that prompt them to authenticate.

Generated by OpenCVE AI on April 2, 2026 at 04:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00072.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/gematik/app-Authenticator/security/advisories/GHSA-qg87-cf56-2rmr
https://www.machinespirits.com/advisory/f41e56/

History

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
References		https://www.machinespirits.com/advisory/f41e56/

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gematik authenticator
CPEs		cpe:2.3:a:gematik:authenticator::::::::
Vendors & Products		Gematik authenticator

Mon, 30 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 30 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gematik Gematik app-authenticator
Vendors & Products		Gematik Gematik app-authenticator

Fri, 27 Mar 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update Gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds.
Title		Authenticator Vulnerable to Authentication Flow Hijack
Weaknesses		CWE-940
References		https://github.com/gematik/app-Authenticator/security/advisories/GHSA-qg87-cf56-2rmr
Metrics		cvssV3_1 `{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Gematik App-authenticator Authenticator

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-27T20:25:15.850Z

Updated: 2026-04-03T15:21:15.316Z

Reserved: 2026-03-24T15:10:05.679Z

Link: CVE-2026-33875

Vulnrichment

Updated: 2026-04-03T15:21:15.316Z

NVD

Status : Modified

Published: 2026-03-27T21:17:24.377

Modified: 2026-04-03T16:16:40.093

Link: CVE-2026-33875

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T07:55:23Z

Weaknesses

CWE-940

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object