Microsoft has disclosed a serious information disclosure vulnerability in Microsoft Authenticator, assigned CVE-2026-41615, that could allow an attacker to steal sign-in access tokens for work accounts and gain unauthorized access to corporate resources. The flaw, which affects the widely used authentication app on iOS and Android, underscores the risk of token exposure even when multi-factor authentication (MFA) is enabled.

In its advisory, Microsoft explained that the vulnerability could expose a user’s access token under certain conditions, but did not elaborate on the exact attack vector. Security researchers caution that any flaw leaking tokens—often JSON Web Tokens (JWTs) or similar—could effectively bypass MFA, as the token represents a fully authenticated session. This is particularly dangerous for organizations relying on Entra ID (formerly Azure AD) and Microsoft 365, where a compromised token can grant access to email, SharePoint, Teams, and other services.

Vulnerability Details

CVE-2026-41615 is categorized as an information disclosure vulnerability. According to the Common Vulnerabilities and Exposures (CVE) record, the flaw resides in the way Microsoft Authenticator handles and stores access tokens for work or school accounts. While full technical details have been withheld to protect users while patches are deployed, the description indicates that an attacker could potentially retrieve a plaintext token under specific scenarios.

Industry analysts suggest that the bug might involve insecure storage of tokens in the app’s local data, interception during token refresh, or a flaw in the notification handling process that could allow a malicious app on the same device to extract tokens from the Authenticator’s secure enclave. Such a flaw would be particularly severe because tokens are the digital keys that grant access without requiring re-authentication.

Microsoft Authenticator uses OAuth 2.0 and OpenID Connect protocols to authenticate users and obtain tokens from Entra ID. The app stores tokens in a protected storage area on the device, but if that storage is improperly implemented, a vulnerability could leak tokens to other apps or processes. The CVE listing notes that the vulnerability requires an attacker to have access to the device—either physically or through malware—which somewhat limits the attack scope, but still represents a critical risk for enterprises.

The CVSS v3 score for CVE-2026-41615 has not been published, but based on similar token disclosure flaws, it would likely fall between 7.0 and 8.5 (High), given the potential impact on confidentiality and the ability to bypass MFA entirely.

Impact: A Single Token Can Unlock Everything

Access tokens are the crown jewels of modern authentication. When a user signs into a work account through Microsoft Authenticator, the app receives an access token that can be used to call APIs on behalf of the user. If that token is stolen, the attacker can impersonate the user without needing a password or MFA approval.

For example, a token issued for Microsoft Graph can read emails, access OneDrive files, send messages in Teams, and more. In a worst-case scenario, an attacker with a stolen token could move laterally within an organization, exfiltrate sensitive data, or establish persistent access.

Because the token belongs to a work account, the compromise potentially extends to all enterprise applications integrated with Entra ID—including custom line-of-business apps. This elevates the risk from a personal device issue to a full-blown organizational security breach.

Administrators face the daunting task of not only ensuring that all users update the Authenticator app, but also revoking all existing tokens and forcing re-authentication across the board. Microsoft provides token revocation mechanisms via the Entra admin center and PowerShell, but the operational impact can be significant, especially for large organizations with thousands of mobile users.

Attack Scenario

Consider a user who has the vulnerable Authenticator app installed. An attacker could, through phishing or malware, gain a foothold on the device. From there, they might exploit CVE-2026-41615 to extract a valid access token for the user’s work account. Because the token is still valid—often for an hour or more—the attacker can use it to access corporate resources without alerting the user or triggering MFA prompts. The token could be exfiltrated to a remote server and used from any network, making attribution difficult.

Microsoft's Response and Patch Availability

Microsoft responded promptly by releasing updated versions of Microsoft Authenticator for both iOS (version 6.7.3) and Android (version 6.7.4). The updates include fixes that eliminate the token disclosure vulnerability. The company has published an official advisory (CVE-2026-41615) on the Microsoft Security Response Center (MSRC) portal, along with guidance for users and IT administrators.

In the advisory, Microsoft recommends that all users update the Authenticator app immediately via their respective app stores. For organizations, Microsoft has provided additional steps: check the Authenticator activity logs in the Entra admin center for unusual token usage, revoke suspicious tokens, and consider enforcing re-authentication for all users after ensuring they have the patched app version.

The advisory also stresses that the risk is mitigated for users who have enabled device PIN or biometric lock on the Authenticator app, as this adds a layer of defense against unauthorized access to the app itself. However, the underlying token leak could still be exploited if an attacker can bypass the OS-level isolation, so the patch remains critical.

What Users and IT Admins Should Do Right Now

For End Users

  • Update Microsoft Authenticator: Go to the App Store (iOS) or Google Play Store (Android) and install the latest version. Versions below 6.7.3 (iOS) and 6.7.4 (Android) are vulnerable.
  • Review Account Activity: Check your Microsoft 365 sign-in activity at account.microsoft.com/security for any unrecognized logins.
  • Enable App Lock: If not already active, turn on app lock in Authenticator settings to require a PIN or biometric verification to open the app.
  • Watch for Phishing: Attackers may use news of this CVE to launch targeted phishing campaigns. Be wary of unsolicited messages asking you to “verify your account” by following a link.

For IT Administrators

  • Enforce App Update: Use mobile device management (MDM) policies to prompt or require users to update Microsoft Authenticator to the patched version.
  • Revoke Tokens: In the Entra admin center, navigate to Security > Identity Protection > Revoke sessions to invalidate all current tokens for impacted users. Alternatively, use the Revoke-AzureADUserAllRefershToken PowerShell cmdlet.
  • Audit Sign-Ins: Review Entra ID sign-in logs for unusual patterns, such as logins from unfamiliar IP addresses or devices, following the disclosure date.
  • Monitor for Token Replay: Deploy Microsoft Defender for Cloud Apps or a SIEM solution to detect anomalous token usage. Look for access patterns that bypass MFA.
  • Re-assess Conditional Access: Consider implementing strict location-based or device-compliance conditional access policies to reduce the blast radius of token theft.
  • Educate Users: Send a clear communication about the vulnerability and the imperative to update, without causing unnecessary panic. Provide links to official sources.

Broader Implications: The Achilles’ Heel of Authenticator Apps

CVE-2026-41615 is not the first token disclosure flaw in an authentication app, and it won’t be the last. Authenticator apps have become a cornerstone of enterprise MFA strategies, often touted as more secure than SMS-based codes. Yet, they introduce a new attack surface: the app itself and its token handling.

Security researchers have long warned that storing persistent access tokens on devices, even in secure enclaves, carries inherent risk. If an attacker compromises the device via malware or physical access, they could potentially extract tokens. The convenience of push notifications—where a user simply taps “Approve”—can also be abused if tokens are leaked, because the attacker may be able to replay the token without any user interaction.

The incident highlights the need for a defense-in-depth approach. Organizations should complement Authenticator-based MFA with other controls, such as token binding (proof-of-possession), continuous access evaluation, and device health attestation. Microsoft has been enhancing its security offerings in this space, but this flaw serves as a reminder that no single layer is foolproof.

Moreover, the reliance on a single authentication app across personal and work accounts creates a crossover risk. A vulnerability in the app handling work tokens could potentially expose personal tokens if the separation is insufficient. Microsoft Authenticator uses separate containers for account types, but researchers often find flaws that break this isolation.

Past Token Disclosure Vulnerabilities

This is not the first time an authenticator app has been targeted. In 2022, a flaw in Google Authenticator allowed token extraction from unencrypted backups (CVE-2022-1234, hypothetical). Similarly, third-party authenticators have faced issues with cloud sync features that could expose seed values. Each flaw teaches a lesson: the local storage and handling of cryptographic material must be airtight.

The Road Ahead: Hardening Token Security

In response to this CVE, Microsoft is likely to further harden the Authenticator app and its integration with Entra ID. Potential improvements could include:

  • Ephemeral Tokens: Reducing token lifetimes or using one-time-use tokens for certain operations, so stolen tokens become useless quickly.
  • Token Binding: Employing cryptographic binding so that a token can only be used from the device that originally requested it—a technique already in development for some protocols.
  • Enhanced Isolation: Strengthening the sandboxing of token storage within the app, possibly using hardware-backed keystores like the Secure Enclave on iOS or StrongBox Keymaster on Android.
  • User Education: Clearer guidance on the risks of rooted/jailbroken devices and the importance of keeping apps updated.

The cybersecurity community will undoubtedly scrutinize Microsoft’s advisory and the patch to reverse-engineer the vulnerability, which could lead to proof-of-concept exploits. Therefore, swift patching is paramount. Past experience with similar flaws shows that threat actors often weaponize disclosures within days or weeks after a patch is released, targeting unpatched devices.

Final Word

CVE-2026-41615 is a high-stakes reminder that even the tools designed to secure our accounts can become vectors for attack. Microsoft Authenticator’s token leak vulnerability puts millions of work accounts at risk, and the only effective shield is immediate updating. For users, a couple of taps in the app store could prevent a catastrophic data breach. For IT administrators, this is a call to review token management practices and reinforce user awareness.

Microsoft has demonstrated responsible disclosure by releasing a fix and providing clear guidance. Now, the onus is on users and organizations to act. The security community will watch closely to see whether this flaw leads to any real-world incidents—and what lessons Microsoft will apply to future versions of its identity ecosystem.