Cyber Resilience

CVE-2026-33875

Critical

Published: 27 March 2026

Published
27 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0027 17.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33875 is a critical-severity Improper Verification of Source of a Communication Channel (CWE-940) vulnerability in Gematik Authenticator. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33875 affects the Gematik Authenticator, a component used to securely authenticate users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, classified under CWE-940. The issue has a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, reliance on user interaction, expanded scope, and significant impacts on confidentiality and integrity.

Remote attackers with no privileges can exploit this vulnerability by crafting malicious deep links that, when clicked by victims, hijack the authentication flow. This allows attackers to authenticate using the identities of victim users, potentially granting unauthorized access to digital health services tied to the victim's account.

Advisories, including the Gematik GitHub Security Advisory (GHSA-qg87-cf56-2rmr) and the Machine Spirits advisory (https://www.machinespirits.com/advisory/f41e56/), recommend updating the Gematik Authenticator to version 4.16.0 or greater to apply the patch. No workarounds are known.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update…

more

Gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

Vulnerability is directly triggered by victim clicking crafted malicious deep links (T1204.001), commonly delivered via spearphishing (T1566.002), enabling authentication flow hijacking and account impersonation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33874Same product: Gematik Authenticator
CVE-2019-25613Shared CWE-940
CVE-2026-35643Shared CWE-940
CVE-2025-23222Shared CWE-940
CVE-2026-40434Shared CWE-940
CVE-2025-61932Shared CWE-940
CVE-2026-45245Shared CWE-940

Affected Assets

gematik
authenticator
≤ 4.16.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific flaw in Gematik Authenticator versions prior to 4.16.0 through patching, which is the recommended fix for authentication flow hijacking.

prevent

Enforces validation of deep link inputs to the authenticator app, preventing maliciously crafted links from hijacking the authentication flow.

prevent

Ensures receipt and implementation of security advisories like GHSA-qg87-cf56-2rmr, prompting updates to mitigate the deep link vulnerability.

References