A vulnerability in Microsoft Authenticator for both iOS and Android (CVE-2026-26123) could leak your one-time sign-in codes or authentication deep links to a malicious app on the same device.
Deep links are predefined URIs (Uniform Resource Identifiers) that allow direct access to an activity in a web or mobile application when clicked. In simple terms, they are specifically constructed links used to open an app and complete actions like signing in.
Microsoft Authenticator is a mobile app that generates time-based one-time codes and handles sign-in links and QR-based logins for Microsoft and other accounts. It is widely used for multi-factor authentication (MFA) on personal phones, including BYOD (Bring Your Own Device) devices that protect access to corporate and production services.
This vulnerability affects users who have Microsoft Authenticator installed on an iOS or Android device. For the vulnerability to be exploited, the user would first need to install a malicious app on their device and then accidentally choose that app to handle a sign‑in deep link.
If that happens, the malicious app receives the one-time code or sign-in information and can potentially use it to authenticate as the victim.
If successful, an attacker could:
- Complete login flows to services that trust your Microsoft Authenticator codes.
- Access the information and services available to the compromised account (email, files, cloud apps, or production systems in a BYOD context).
- Potentially pivot to additional accounts if those are also protected by codes delivered via Authenticator on the same device.
How to stay safe
The fix for CVE-2026-26123 is already included in current releases, so installing updates is the most effective mitigation.
- On iOS: Open the App Store. Tap the My Account button or your photo at the top of the screen. Scroll down to see pending updates and release notes. Tap Update next to an app to update only that app, or tap Update All.
- On Android: Open the Google Play Store app. At the top right, tap the profile icon. Tap Manage apps & device. Under “Updates available,” tap See details. Next to the app you want to update, tap Update. To update all your apps at the same time, tap Update all.
Note: If your device manufacturer has implemented a different method to apply app updates, the steps may vary slightly.
If you are temporarily unable to update the app, avoid installing new apps that request to handle authentication links, QR-based sign-ins, or web-to-app sign-in flows.
When scanning QR codes or tapping sign-in links, verify that the handler is Microsoft Authenticator or another trusted app, and not an unknown, recently installed, or otherwise suspicious app.
Where possible, use alternative MFA options you already trust (such as built-in authentication in your password manager or platform-specific solutions like Apple’s password features) until you can apply the update.
Use anti-malware protection for your mobile devices that can help detect malicious apps.
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.
