Description
Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network.
Published: 2026-05-14
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Microsoft Authenticator for Android and iOS contains a flaw that permits an unauthorized actor to retrieve sensitive information over the network. The vulnerability is classified as Information Exposure (CWE-200), indicating that confidentiality of the data handled by the authenticator is at risk if exploited.

Affected Systems

The flaw affects Microsoft Authenticator applications on Android and iOS platforms. Version details are not specified, so the vulnerability could potentially impact any builds of the authenticator until Microsoft releases a fix.

Risk and Exploitability

The high CVSS score of 9.6 reflects a severe confidentiality impact and the potential for widespread exploitation. The EPSS score is not available, which indicates limited public data about current exploitation attempts and leaves uncertainty about how frequently attackers may target this vulnerability. The description states that the information can be disclosed over a network, so based on the description, the likely attack vector is inferred to involve an adversary manipulating or intercepting the authenticator’s network traffic. The vulnerability is not currently listed in the CISA KEV catalog, but the combination of a high severity score and the ubiquity of the authenticator suggests that prompt remediation is advisable.

Generated by OpenCVE AI on May 14, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Microsoft Authenticator update to patch the information‑disclosure flaw.
  • Configure network or device security controls to limit the authenticator’s ability to communicate with untrusted networks until a patch becomes available.
  • Monitor device logs and network traffic for anomalous data export activities involving the authenticator to detect possible exploitation attempts.

Generated by OpenCVE AI on May 14, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:authenticator:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:authenticator:*:*:*:*:*:iphone_os:*:*

Thu, 14 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network.
Title Microsoft Authenticator Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft authenticator
Microsoft authenticator For Ios
Weaknesses CWE-200
CPEs cpe:2.3:a:microsoft:authenticator:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:authenticator_for_ios:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft authenticator
Microsoft authenticator For Ios
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Authenticator Authenticator For Ios
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-15T17:13:43.805Z

Reserved: 2026-04-21T22:14:12.924Z

Link: CVE-2026-41615

cve-icon Vulnrichment

Updated: 2026-05-14T17:59:35.662Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T18:16:47.243

Modified: 2026-05-15T18:39:39.933

Link: CVE-2026-41615

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:30:04Z

Weaknesses