CVE-2026-33874
Published: 27 March 2026
Summary
CVE-2026-33874 is a high-severity OS Command Injection (CWE-78) vulnerability in Gematik Authenticator. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the RCE vulnerability by requiring identification, prioritization, and patching of the Gematik Authenticator to version 4.16.0 or later.
Prevents OS command injection (CWE-78) by validating and sanitizing inputs from malicious files opened in the authenticator.
Mitigates exploitation by scanning for and blocking malicious files that trigger the RCE vulnerability in the authenticator.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Client-side OS command injection RCE in Mac app, directly triggered by opening malicious file (T1204.002) to exploit client software for code execution (T1203) via Unix shell (T1059.004).
NVD Description
Gematik Authenticator securely authenticates users for login to digital health applications. Starting in version 4.12.0 and prior to version 4.16.0, the Mac OS version of the Authenticator is vulnerable to remote code execution, triggered when victims open a malicious file.…
more
Update the gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds.
Deeper analysisAI
CVE-2026-33874 is a remote code execution vulnerability (classified under CWE-78, OS Command Injection) affecting the Mac OS version of the Gematik Authenticator, a tool used to securely authenticate users for login to digital health applications. The flaw impacts versions starting from 4.12.0 up to but not including 4.16.0. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
An attacker can exploit this vulnerability by tricking a victim into opening a malicious file on a system running the affected Mac OS Authenticator version. No privileges are required (PR:N), but local access is needed (AV:L) with low attack complexity (AC:L) and user interaction (UI:R). Successful exploitation leads to remote code execution on the victim's machine, potentially allowing full compromise of the local system.
Advisories, including those from the Gematik GitHub security page (GHSA-mjgm-7hwc-qqcr) and Machinespirits (advisory/2e655e/), recommend updating the Gematik Authenticator to version 4.16.0 or later to apply the patch. No workarounds are available.
Details
- CWE(s)