CVE-2026-33875

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33875
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33875.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33875
Aliases
  • GHSA-qg87-cf56-2rmr
Published
2026-03-27T20:25:15.850Z
Modified
2026-04-02T13:41:35.356830Z
Severity
  • 9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Authenticator Vulnerable to Authentication Flow Hijack
Details

Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update Gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33875.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-940"
    ]
}
References

Affected packages

Git / github.com/gematik/app-authenticator

Affected ranges

Type
GIT
Repo
https://github.com/gematik/app-authenticator
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
156f785f6fe55f5e770af73f3deb8c214a0315e9
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.16.0"
        }
    ]
}

Affected versions

3.*
3.1.0
4.*
4.0.0
4.1.0
4.10.0
4.11.0
4.12.0
4.13.0
4.13.1
4.13.2
4.14.0
4.14.1
4.15.0
4.15.1
4.15.2
4.2.0
4.2.1
4.3.0
4.4.0
4.4.1
4.5.0
4.6.0
4.7.0
4.8.0
4.8.1
4.9.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33875.json"