Authenticator Vulnerable to Authentication Flow Hijack_CVE-2026-33875

9.3 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Description

Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update Gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds.

Basic Information

ID CVE-2026-33875

Source GitHub_M

Published Mar 27, 2026 at 20:25

Modified Apr 3, 2026 at 15:21

Affected Product

Vendor gematik

Product app-Authenticator

Version < 4.16.0

Affected Versions gematik app-Authenticator < 4.16.0

CWE Classification

CWE-940

References

github.com /gematik/app-Authenticator/security/advisories/GHSA-qg87-cf56-2rmr

{
    "lastseen": "",
    "description": "Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update Gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds.",
    "published": "2026-03-27T20:25:15.850Z",
    "modified": "2026-04-03T15:21:15.316Z",
    "type": "cve",
    "title": "Authenticator Vulnerable to Authentication Flow Hijack",
    "source": "GitHub_M",
    "references": "https://github.com/gematik/app-Authenticator/security/advisories/GHSA-qg87-cf56-2rmr",
    "id": "CVE-2026-33875",
    "bulletinFamily": "",
    "cwe": [
        "CWE-940"
    ],
    "cvelist": null,
    "sourceData": "gematik app-Authenticator < 4.16.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "app-Authenticator",
    "version": "< 4.16.0",
    "vendor": "gematik",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}