critical advisory March 27, 2026

Gematik Authenticator Authentication Flow Hijacking Vulnerability (CVE-2026-33875)

Gematik Authenticator versions prior to 4.16.0 are vulnerable to authentication flow hijacking via malicious deep links, potentially allowing attackers to authenticate with victim user identities.

The Gematik Authenticator, designed for secure user authentication to digital health applications, has a critical vulnerability affecting versions prior to 4.16.0. This vulnerability, identified as CVE-2026-33875, allows for authentication flow hijacking. An attacker can exploit this by crafting a malicious deep link. If a user clicks on this link, the attacker can potentially authenticate using the identity of the victim. This poses a significant risk to user privacy and data security within…

Detection coverage 2

Detect Gematik Authenticator Deep Link Hijacking Attempt

high

Detects suspicious process execution originating from Gematik Authenticator potentially related to deep link hijacking attempts.

sigma tactics: initial_access techniques: T1189, T1566.001 sources: process_creation, windows

Detect Suspicious Network Connection from Gematik Authenticator After Deep Link

medium

Detects suspicious outbound network connections initiated by Gematik Authenticator after a deeplink execution.

sigma tactics: command_and_control techniques: T1071.001 sources: network_connection, windows

Detection queries are kept inside the platform. Get full rules →