CVE-2026-33875
Published: 27 March 2026
Summary
CVE-2026-33875 is a critical-severity Improper Verification of Source of a Communication Channel (CWE-940) vulnerability in Gematik Authenticator. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 22.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the specific flaw in Gematik Authenticator versions prior to 4.16.0 through patching, which is the recommended fix for authentication flow hijacking.
Enforces validation of deep link inputs to the authenticator app, preventing maliciously crafted links from hijacking the authentication flow.
Ensures receipt and implementation of security advisories like GHSA-qg87-cf56-2rmr, prompting updates to mitigate the deep link vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is directly triggered by victim clicking crafted malicious deep links (T1204.001), commonly delivered via spearphishing (T1566.002), enabling authentication flow hijacking and account impersonation.
NVD Description
Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update…
more
Gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds.
Deeper analysisAI
CVE-2026-33875 affects the Gematik Authenticator, a component used to securely authenticate users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, classified under CWE-940. The issue has a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, reliance on user interaction, expanded scope, and significant impacts on confidentiality and integrity.
Remote attackers with no privileges can exploit this vulnerability by crafting malicious deep links that, when clicked by victims, hijack the authentication flow. This allows attackers to authenticate using the identities of victim users, potentially granting unauthorized access to digital health services tied to the victim's account.
Advisories, including the Gematik GitHub Security Advisory (GHSA-qg87-cf56-2rmr) and the Machine Spirits advisory (https://www.machinespirits.com/advisory/f41e56/), recommend updating the Gematik Authenticator to version 4.16.0 or greater to apply the patch. No workarounds are known.
Details
- CWE(s)