Critical Microsoft Authenticator flaw: what to do this week

If your team uses Microsoft Authenticator on their phones to approve work sign-ins, this one needs attention. Microsoft has published CVE-2026-41615, a critical flaw in the app that lets an attacker steal a sign-in token the moment a user taps “yes” on what looks like a normal login request.

Microsoft labels it “information disclosure”, which is technically accurate and practically misleading. A leaked password, you change. A leaked sign-in token gives an attacker roughly an hour of full access to your work account, including email, Teams, SharePoint, everything, without needing your password at all. For a busy accountant in Rhyl or a consultant in Wrexham, that’s not a data leak. It’s a full account takeover.

Why this one is different

Authenticator isn’t just another app. It’s the front door to every Microsoft 365 service your business uses. When Outlook has a bug, you lose some time. When Authenticator has a flaw in how it handles sign-in tokens, an attacker can walk straight into your tenant and you’d barely know until the damage was done.

The affected versions are Android before 6.2605.2973 and iOS before 6.8.47. No confirmed attacks in the wild yet, but that window closes fast once a critical CVE goes public. The attack does require someone to tap “yes”, but well-resourced attackers have spent years perfecting the timing and social pressure to make that happen. Relying on your team’s judgment at 9am on a Tuesday is a hope, not a control.

What to do this week

Start with personal phones. Most staff use their own device for Authenticator, and personal phones often have auto-updates off or delayed. Check that every team member has the latest version installed.

For managed devices, push the update now. Don’t rely on auto-update. Force the install through Intune or Mobile Device Management if you have it in place.

For high-privilege accounts, such as administrators, finance staff, and anyone touching payroll or client data, revoke active sessions in Entra ID (the system Microsoft uses to manage logins) once the update is confirmed. It takes a minute per user and it’s worth it.

While you’re in Entra ID, check your Conditional Access policies. Sign-in frequency, session lifetimes, and device compliance requirements should all be tighter on privileged roles than on general staff. If your global admins are running on long-lived sessions, now is a good time to fix that.

The bigger picture

This CVE is a nudge toward a conversation worth having: whether Authenticator push-approval is the right choice for your most sensitive accounts. Passkeys and hardware security keys, known as FIDO2 methods, can’t be tricked into leaking tokens the way Authenticator can. Our guide to what the NCSC’s passkey advice means for your business covers the options in plain English if you want a starting point.

If you handle card payments, client files, or anything regulated, this is the kind of incident that closes the budget conversation on phishing-resistant authentication. The risk stopped being hypothetical the day this CVE went public.

Patch the app. Revoke the sessions on privileged accounts. Then ask whether push-approval MFA is still the right long-term call. Dragon Digital handles identity hardening and security audits for businesses across North Wales, and can help you work out whether your current setup is as solid as it should be.