A critical vulnerability in Microsoft Authenticator tracked as CVE-2026-41615 allows remote attackers to silently steal sign-in access tokens from corporate accounts, potentially granting unauthorized access to organizational data, Microsoft 365 services, and enterprise systems without the victim’s knowledge.
Microsoft disclosed CVE-2026-41615 on May 14, 2026, classifying it as a Critical Information Disclosure vulnerability affecting both Android and iOS versions of the Microsoft Authenticator app.
Assigned under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), the flaw enables an unauthenticated network attacker to intercept a user’s work-account sign-in access token by deceiving the user into approving a fraudulent authentication request.
The vulnerability carries a CVSS v3.1 base score of 9.6, near the maximum possible, and an environmental score of 8.3, reflecting a high real-world impact on confidentiality, integrity, and availability.
The attack vector is Network, with Low Attack Complexity and no privileges required from the attacker’s side, making it especially dangerous in enterprise environments where Authenticator is deployed at scale.
CVE-2026-41615: Microsoft Authenticator Vulnerability
The exploit mechanism follows a social engineering chain. An attacker crafts a malicious authentication request that appears legitimate to the victim. When the user approves the request as they would in a standard multi-factor authentication (MFA) prompt, the app is tricked into obtaining an OAuth access token on the user’s behalf.
That token is then silently exfiltrated to an attacker-controlled server, without the user ever being clearly informed of the access being granted. Critically, the stolen token inherits the full privileges of the targeted user account. For a standard employee, this could mean access to Teams conversations, SharePoint files, Outlook emails, and HR portals.
For a privileged administrator, it could mean control over entire Azure Active Directory tenants, cloud infrastructure, and sensitive organizational databases. The vulnerability does not require any special permissions or system access from the attacker; it only requires the victim to click and approve what appears to be a routine MFA request.
This attack pattern aligns with a broader, accelerating threat landscape. In April 2026, Microsoft’s Defender Research team tracked a large-scale phishing campaign that targeted more than 35,000 users across 13,000+ organizations in 26 countries, using Adversary-in-the-Middle (AiTM) techniques to harvest Microsoft authentication tokens in real time.
Healthcare and financial services sectors were hit hardest, accounting for 19% and 18% of targets, respectively. CVE-2026-41615 adds a direct, app-level attack path to that already dangerous threat environment.
Affected Versions and Patches
Microsoft has released patched versions for both major mobile platforms:
- Microsoft Authenticator for Android — Fixed in build 6.2605.2973, available via Google Play Store
- Microsoft Authenticator for iOS — Fixed in build 6.8.47, available via Apple App Store
Android users with automatic app updates enabled will receive the patch automatically. Users without auto-updates must manually update the app from the Google Play Store. iOS users should update via the App Store immediately. Microsoft has confirmed that customer action is required for both platforms; the fix is not applied automatically on the server side.
According to the CVSS Scope metric (S:C Changed Scope), the exploited vulnerability can affect resources beyond the security boundary of the vulnerable component itself.
In practical terms, a compromised Authenticator token can open doors to Microsoft 365 services, Azure cloud resources, and third-party enterprise applications integrated via OAuth, all of which are managed by security authorities distinct from the Authenticator app.
The timing of this disclosure is particularly alarming. Organizations are already battling a surge in token-theft attacks in 2026, with threat actors using AiTM phishing kits like Tycoon and EvilProxy, infostealer malware, and device code phishing techniques to harvest session tokens and bypass MFA entirely.
CVE-2026-41615 provides yet another avenue: a direct in-app exploit that bypasses MFA by stealing the token the app itself generates. Security researchers and administrators should note that the vulnerability has not been publicly exploited at the time of disclosure, and exploitability is assessed as “Exploitation Less Likely” by Microsoft.
However, given the CVSS score of 9.6, the network-based attack vector, and the current appetite among threat actors for token theft, organizations should treat this as a high-priority patch deployment, not a deferred maintenance item.
The researcher credited with discovering CVE-2026-41615 is Sridhar Periyasamy, acknowledged by Microsoft through its coordinated vulnerability disclosure program.
Security teams and individual users should take these immediate steps:
- Update immediately: Deploy Authenticator build 6.2605.2973 (Android) or 6.8.47 (iOS) across all managed devices
- Audit identity logs: Review Azure AD and Microsoft 365 sign-in logs for anomalous access, particularly from high-privilege accounts.
- Revoke active sessions: For privileged users, revoke existing OAuth tokens and sessions after confirming patched app installation.
- Enforce MDM controls: Use Microsoft Intune or equivalent MDM solutions to verify app versions on corporate-connected devices.
- Enable Conditional Access: Require compliant, up-to-date app versions for work account access.
- User awareness: Educate employees to scrutinize MFA prompts and reject unexpected or unfamiliar authentication requests
FAQ
Q1: What data does CVE-2026-41615 expose?
It exposes a sign-in access token for a user’s work account, enabling access to all organizational data and services that the user is authorized to use.
Q2: Does this vulnerability bypass MFA protection?
Yes, by stealing the token that MFA itself generates, the attacker inherits an already-authenticated session without needing the user’s password.
Q3: Is Microsoft Authenticator on iOS also affected?
Yes, both iOS (fixed in build 6.8.47) and Android (fixed in build 6.2605.2973) versions are affected and patched.
Q4: Has CVE-2026-41615 been actively exploited in the wild?
As of May 14, 2026, Microsoft reports no public disclosure or active exploitation, though the critical CVSS score of 9.6 warrants urgent patching.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
