CVE-2026-41615 – Microsoft Authenticator Information Disclosure Vulnerability

A critical information disclosure vulnerability exists in Microsoft Authenticator that could allow an unauthorized attacker to obtain sensitive authentication information over a network. The issue involves exposure of sign-in access tokens tied to a user’s work account. If successfully exploited, attackers could gain access to services and data that the affected user is authorized to use, potentially leading to unauthorized access across enterprise environments. Microsoft has released an official fix for affected Android devices through updated versions of the Microsoft Authenticator application.

CVSS Score: 9.6

SEVERITY: Critical

THREAT:
This vulnerability presents a serious risk because it can expose authentication access tokens that provide entry into corporate services, cloud resources, and sensitive organizational data. Attackers may leverage stolen tokens to impersonate users, bypass normal authentication protections, and move laterally through connected systems and services. Because the flaw can impact resources outside the vulnerable application’s direct security boundary, the overall organizational impact can extend far beyond a single device.

EXPLOITS:
No public exploit or proof-of-concept (PoC) exploit code has been confirmed. Microsoft reports that exploitation is currently considered “Less Likely,” and there is no indication of active zero-day exploitation. However, successful exploitation only requires convincing a user to interact with a malicious request that appears legitimate.

TECHNICAL SUMMARY:
The vulnerability is classified as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. An attacker can exploit the flaw by tricking a user into approving a malicious authentication-related request through Microsoft Authenticator. Once approved, the vulnerable application may obtain a sign-in access token on the user’s behalf and transmit it to an attacker-controlled destination without clearly informing the user of the granted access. Because the exposed token may provide access to organizational services and sensitive data, the impact includes confidentiality, integrity, and availability risks. The CVSS vector indicates a changed scope, meaning exploitation can affect resources managed outside the original security authority of the vulnerable component.

EXPLOITABILITY:
Affected systems include vulnerable versions of Microsoft Authenticator on Android and IOS devices. Exploitation requires network access and user interaction but does not require attacker privileges. An attacker would typically deliver a malicious request designed to appear legitimate and rely on social engineering to convince the victim to approve the request.

BUSINESS IMPACT:
Organizations using Microsoft Authenticator for workforce identity and access management face significant risks if this vulnerability is exploited. Stolen access tokens could allow unauthorized access to corporate email, cloud applications, internal systems, and sensitive business information. The vulnerability also increases the risk of account compromise, data theft, unauthorized transactions, and broader identity-based attacks against enterprise infrastructure.

WORKAROUND:
If the update cannot be immediately deployed:

• Enable automatic updates for Microsoft Authenticator applications.
• Educate users to carefully review unexpected authentication approval requests.
• Monitor authentication logs for unusual token activity or suspicious sign-in behavior.
• Enforce conditional access and multi-factor authentication monitoring policies where possible.

URGENCY:
This vulnerability requires immediate attention because it affects authentication trust mechanisms and can expose access tokens tied to enterprise accounts. The combination of network-based exploitation, no required attacker privileges, and the potential for full access to sensitive organizational services significantly raises the operational risk. Rapid deployment of the Microsoft Authenticator update is strongly recommended to reduce exposure.