Microsoft Authenticator: Critical vulnerability allows token theft

In Microsoft's Authenticator, attackers can exploit a critical security vulnerability to obtain sign-in tokens, enabling unauthorized access to resources. Updated apps are available.

Microsoft's vulnerability entry broadly discusses the issue. Sensitive information can fall into the hands of unauthorized actors as Microsoft Authenticator exposes information to attackers over the network. In the FAQ, Microsoft explains that the vulnerability can reveal the sign-in token for users' work accounts. This allows unauthorized individuals to access data and services that the user account is permitted to access, potentially including sensitive company information.

To exploit the vulnerability, attackers must trick a victim into interacting with a legitimate-looking malicious request. Once users confirm the request, attackers can trick the app into requesting access tokens on behalf of the users to deliver them to a service under the attackers' control. Affected users do not receive clear information about what access has been granted (CVE-2026-41615, CVSS 9.6, risk “critical”). However, NIST, in its NVD entry, only assigns a risk of “high” with CVSS 7.4.

Microsoft Authenticator: Updates Available

Microsoft Authenticator: Critical vulnerability allows token theft

Other newsrooms on this story

Related reading

Microsoft Authenticator: Kritische Sicherheitslücke ermöglicht Token-Diebstahl

The New Phishing Click: How OAuth Consent Bypasses MFA

Microsoft Phone Link abused to steal SMS OTPs from enterprise PCs

Microsoft says cu l8r to text message security

Microsoft's agentic security system MDASH uncovers four critical Windows RCE…

Microsoft Self-Service Password Reset abused in Azure data theft attacks