CVE-2026-33875 CRITICAL

CVE-2026-33875: Authenticator Vulnerable to Authentication Flow Hijack

Vendor Gematik
Product app-Authenticator
Weakness CWE-940
Published March 27, 2026
Last update April 3, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update Gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
April 3, 2026 Record updated