A vulnerability in Microsoft Authenticator for both iOS and Android (CVE-2026-26123) could leak one-time sign-in codes or authentication deep links to a malicious app on the same device. Deep links are predefined URIs that open an app and complete actions like signing in, potentially exposing the victim’s sign-in data. The flaw affects users who have Microsoft Authenticator installed, and an attacker would first need to install a malicious app and have the user select it to handle a sign-in deep link.
If exploited, the attacker could complete login flows to services that trust the Authenticator codes, access information and services available to the compromised account, and potentially pivot to additional accounts protected by codes delivered via Authenticator on the same device. The fix for CVE-2026-26123 is already included in current releases, so installing updates is the most effective mitigation.