Overview
CVE-2026-33875 is a critical-severity (CVSS 9.3) authentication flow hijacking vulnerability in Gematik Authenticator, the identity verification component used to authenticate German healthcare professionals and patients into digital health applications (DiGA). Published on March 27, 2026, the flaw affects all versions prior to 4.16.0 and can be exploited by an attacker who convinces a victim to click a malicious deep link.
Gematik Authenticator is a core piece of Germany's telematics infrastructure (TI), acting as the bridge between electronic health cards and web-based health applications. A successful exploit allows an attacker to complete an authentication flow with the identity of the victim user — gaining access to sensitive health records, prescriptions, and patient data tied to that account.
Technical Details
Vulnerability Root Cause
The flaw is an authentication flow hijacking vulnerability rooted in improper handling of deep link callbacks during the OAuth/OpenID Connect flow. The authenticator app does not sufficiently validate the origin and integrity of deep link parameters received during the authentication redirect chain.
Attack Flow
- Attacker crafts a malicious deep link — The link mimics a legitimate Gematik Authenticator deep link callback URL but contains attacker-controlled parameters embedded in the redirect URI or state token.
- Victim clicks the link — User interaction is required. The attacker may deliver the link via phishing email, SMS, or a compromised web page.
- Authenticator processes the malicious callback — Because the app does not adequately validate the deep link's origin or bind the authentication response to the original session, the attacker can inject or substitute their own session state.
- Authentication completes as the victim — The attacker gains an authenticated session token valid for the targeted digital health application, without ever possessing the victim's health card PIN or credentials.
Scope of Impact
Because Gematik Authenticator is used across a wide range of German statutory health insurance (GKV) digital services, exploitation could provide unauthorized access to:
- Electronic patient records (ePA)
- Digital prescriptions (eRezept)
- Medical certificates and referrals
- Patient-facing health application portals
CVSS Score Breakdown
| Metric | Value |
|---|---|
| Base Score | 9.3 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | None |
The high score reflects the sensitivity of the data accessible via successful exploitation and the low barrier to attack — no credentials are needed, and the only prerequisite is a victim clicking a link.
Affected Versions
| Software | Affected Versions |
|---|---|
| Gematik Authenticator | All versions prior to 4.16.0 |
Patch & Mitigation
Patch: Update Gematik Authenticator to version 4.16.0 or later. The patch introduces proper deep link origin validation and cryptographic binding of authentication state tokens to prevent substitution attacks.
Immediate mitigations for unpatched environments:
- Update immediately — All users and healthcare IT administrators should push the v4.16.0 update as an emergency patch given the CVSS 9.3 severity.
- User awareness — Instruct users not to click authentication links received via unexpected communications, especially SMS or email. Gematik authentication flows should only be initiated from within official portals.
- Monitor for anomalous sessions — Health application providers should audit logs for authentication events that do not correspond to expected patient or practitioner activity patterns.
- App store verification — Ensure only the official Gematik Authenticator app from the Apple App Store or Google Play Store is installed, and that auto-updates are enabled.
Context: Gematik & Germany's Health Telematics
Gematik GmbH is the German government-owned organization responsible for the country's digital health infrastructure. The Gematik Authenticator is a key component of the telematics infrastructure connecting approximately 73 million statutory health insurance members, over 170,000 physicians, and tens of thousands of pharmacies across Germany.
Vulnerabilities in Gematik infrastructure carry elevated real-world risk because of:
- The sensitivity and volume of personal health data at stake
- The legal protections surrounding health data under GDPR and the German Social Code (SGB)
- The potential for impersonation in healthcare contexts (fraudulent prescriptions, unauthorized record access)
This vulnerability underscores the need for robust deep link handling security across all mobile health authentication applications, not just those in the German healthcare system.
Recommendations
All Gematik Authenticator users and healthcare IT administrators should treat this as a priority update. Version 4.16.0 contains the fix. Given the critical nature of the authentication infrastructure and the sensitivity of health data, immediate patching is strongly recommended over any interim mitigation approach.
Healthcare application providers that rely on Gematik Authenticator as an identity provider should verify their user base has updated to the patched version before considering the risk mitigated.