Machine Spirits Logo
All Advisories

gematik Authenticator

Remote Code Execution via a Crafted Keychain File

On macOS, the gematik Authenticator interpolates keychain file paths into a shell command while building its TLS trust store. A .keychain-db file whose name embeds a shell command runs that command in the Authenticator's process the next time the application launches.

Authored byChiara Fliegner, Volker Schönefeld, Simon WeberDisclosed 2026-03-26Fully disclosed 2026-05-21
SeverityHighCVSS 7.8CVSS 3.1 VectorAV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HCWECWE-78 (OS Command Injection)Productgematik AuthenticatorAffected Versionsv4.12.0 through v4.15.2 (macOS only; Windows is not affected).Fixed Inv4.16.0CVECVE-2026-33874GHSAGHSA-mjgm-7hwc-qqcr

Description

On macOS, the Authenticator builds its TLS trust store by reading the system keychains. getMacOSCertificates() runs security list-keychains and interpolates each returned keychain path into a second shell command. The only sanitization strips double quotes, leaving shell metacharacters (;, backticks, $(), |, &) intact:

Keychain path interpolated into a shell command

const keychains = execSync('security list-keychains')
  .toString()
  .split('\n')
  .map((kc) => kc.trim().replace(/"/g, '')); // strips only double quotes


keychains.forEach((keychain) => {
  const rawCerts = execSync(`security find-certificate -a -p ${keychain}`).toString();
});

View source →

The certificate load runs on every launch as top-level code in the preload chain, so no interaction beyond starting the application is required to trigger it. An attacker delivers a .keychain-db file whose filename embeds a shell command. On macOS, opening such a file adds it to the keychain search list, and the com.apple.quarantine download flag is not evaluated for this file type. On the next launch, the crafted filename is interpolated into the command and the shell evaluates the embedded payload.

Impact

  • Arbitrary command execution in the Authenticator's Electron main process with the user's privileges, with access to the OS credential store (IDP tokens, Konnektor TLS client certificates), the filesystem, and environment variables.
  • The poisoned keychain fires on every launch and survives reboots and updates until it is removed from Keychain Access.
  • Delivery is by phishing (an emailed .keychain-db attachment); the download can be made to appear to originate from a gematik domain by chaining the deep link hijack.

Mitigation

Update to v4.16.0 or later. Replace execSync with execFileSync('security', [...]) so arguments bypass the shell entirely, and, as defense-in-depth, reject keychain paths containing shell metacharacters ($, backticks, ;, |, &, or newlines).

Defender's Checklist

  • Confirm the deployed version

    Ensure macOS workstations run gematik Authenticator v4.16.0 or later; v4.12.0 through v4.15.2 are affected. Windows is not affected.

  • Be wary of .keychain-db attachments

    Treat unsolicited keychain files as untrusted. Opening one adds it to the keychain search list; it does not need to come from a trusted source to take effect.

Severity Reasoning

AV:LThe injection triggers from a keychain file that has been placed on the local machine.AC:LNo special conditions beyond the crafted filename.PR:NNo account or privileges on the target are required.UI:RThe victim must open the crafted file and subsequently launch the Authenticator.S:UExecution stays within the user's own security scope.C:HThe injected command can read the user's credential store, certificates, and files.I:HIt can modify files and data the user can write.A:HIt can disrupt the user's environment and the application.

Severity matches the vendor's GHSA score (CVSS 7.8). The vector is local (AV:L); delivery by phishing or via the chained deep-link hijack does not change the vendor's published score.

References

How We Can Help

Who We Are

The security researchers behind this advisory.

Dr. Simon Weber Profile

Dr. rer. nat. Simon Weber

Senior Pentester & MedSec Researcher

I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.

  • PhD on Hospital Cybersecurity
  • Critical vulnerabilities found in hospital systems
  • Alumni of THB MedSec Research Group
  • gematik Security Hero
Volker Schönefeld Profile

Dipl.-Inf. Volker Schönefeld

Senior Application Security Expert

As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.

  • 20+ years as CTO, 50M+ app downloads
  • Architected and secured large-scale IoT fleets
  • Certified Web Exploitation Specialist
  • gematik Security Hero
View Full Team Profiles

Looking for a Penetration Test?

Machine Spirits specializes in security assessments for medical devices and healthcare IT. From MDR penetration testing to C5 cloud compliance, we help MedTech companies meet regulatory requirements.

Get in TouchLearn More About Our Services