CVE-2026-26123 – Microsoft Authenticator – MFA Verification Logic
“If MFA can be weakened, account security quietly unravels.”
Microsoft addressed a vulnerability in Microsoft Authenticator affecting the integrity of the multi-factor authentication (MFA) verification process. The issue could allow improper validation of authentication challenges under certain conditions, weakening the assurance that MFA is meant to provide.
CVE-2026-26123 has a CVSS score of 5.5, which is Medium severity. While the flaw does not enable direct remote takeover on its own, it reduces the effectiveness of a key identity protection control, increasing the risk of unauthorized access when combined with other attack vectors.
The patch improves verification logic and ensures authentication responses are properly validated. There is no confirmed real-world exploitation at this time.
Key Details
- Affected Product
- Microsoft Authenticator
- Attack Vector
- Local
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- Required
- CWE Classification
- CWE-939