CVE-2026-26123

Published Mar 10, 2026

Last updated 2 days ago

CVSS medium 5.5

Overview

Description
Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.
Source
secure@microsoft.com
NVD status
Analyzed
Products
authenticator

Risk scores

CVSS 3.1

Type
Primary
Base score
5.5
Impact score
3.6
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

secure@microsoft.com
CWE-939
nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. An improper authentication vulnerability has been reported to affect QNAP Authenticator. If an attacker gains physical access, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: QNAP Authenticator 1.3.1.1227 and laterCVE-2025-54154
  2. Authenticator is a browser extension that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVP_BytesToKey KDF. Therefore, attackers with a copy of a user's data are able to brute-force the user's encryption key. Users on version 8.0.0 and above are automatically migrated away from the weak encoding on first login. Users should destroy encrypted backups made with versions prior to 8.0.0.CVE-2024-45394
  3. Microsoft Authenticator Elevation of Privilege VulnerabilityCVE-2024-21390
  4. Under certain conditions SAP Authenticator for Android allows an attacker to access information which would otherwise be restricted.CVE-2022-35290

References

Sources include official advisories and independent security research.