A newly discovered vulnerability in Microsoft Authenticator could expose sensitive login codes to malicious apps on the same device, raising concerns about the security of one of the most widely used multi-factor authentication tools.
A vulnerability tracked as CVE-2026-26123 affects the Microsoft Authenticator app on both Android and iOS devices. According to security reports, the flaw could allow a malicious application installed on the same phone to intercept authentication information such as one-time login codes or special sign-in links.
With more than 75 million users worldwide, Microsoft Authenticator is widely used to provide multi-factor authentication (MFA) for Microsoft and third-party services. The app generates temporary login codes and also processes QR-based sign-ins and authentication links.
Security researchers say the vulnerability centers on deep links, which are specially designed links that open a specific function within a mobile app and are often used to complete sign-in actions.
2
ESET PROTECT Advanced
Employees per Company Size
Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+)
Any Company Size
Any Company Size
Features
Activity Monitoring, Antivirus, Blacklisting, and more
3
ManageEngine Desktop Central
Employees per Company Size
Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+)
Any Company Size
Any Company Size
Features
Activity Monitoring, Antivirus, Dashboard, and more
How the attack could happen
Experts say the flaw cannot be exploited remotely. Instead, a victim would first need to install a malicious application on their device and then accidentally select that app to handle an authentication deep link.
If that occurs, the malicious software could receive the login code or sign-in data intended for Microsoft Authenticator. An attacker could then potentially use that information to access services protected by the app.
If exploited successfully, attackers could:
- Complete login processes that rely on Microsoft Authenticator codes
- Access data tied to the compromised account, such as emails, files, or cloud services
- Potentially move on to other accounts protected by the same device’s authentication codes
Patch already available
Security researchers say the vulnerability has already been fixed in recent versions of the app. Users are therefore encouraged to install the latest update as soon as possible.
On iOS devices, users can update apps through the Apple App Store, while Android users can install updates via the Google Play Store.
If immediate updating is not possible, experts recommend avoiding the installation of unfamiliar apps that request access to authentication links or QR-based login prompts. Users should also double-check that sign-in links open in trusted apps such as Microsoft Authenticator.
Additional security changes coming
Separately, Microsoft is preparing another security upgrade for enterprise users. The company plans to restrict the use of Microsoft Authenticator on phones that have been jailbroken or rooted, which removes built-in operating system protections.
The move will roll out gradually for organizations using Microsoft Entra identity services. According to reportsthe update will first warn users running modified devices, then block authentication features and remove stored account data if the device remains compromised.
The Android rollout began in late February 2026 and is expected to conclude by mid-2026, while the iOS rollout will start in April and finish around the same timeframe.
For more security news, read how a vulnerability in the Ally WordPress plugin could put over 400,000 websites at risk.
