The Okta Push Notification You Approved This Morning Just Logged An Attacker In This Afternoon (CVE-2026-7491)

Multi-factor-fatigue campaigns don't need you to say yes 47 times anymore. They need you to say yes once. The Okta Verify push response wasn't bound to the originating challenge on Classic tenants, and the jti replay window was 120 seconds. CVE-2026-7491.

What the bug is

Okta Verify iOS 9.26 and Android 9.24 and earlier, when served by a tenant still running the Okta Classic engine. CVSS 8.1. Multi-factor bypass via response replay. The server-side component validates that the signed push response is recent and unexpired, but it does not verify that the jti claim matches the specific challenge the server issued for the login attempt in flight.

In plain English: a legitimate approval you tapped for your own 9 a.m. login is accepted by the server as a valid approval for a different login attempt at 9:01 a.m. — one the attacker initiated — as long as the same user account is involved and the response lands inside the 120-second window.

How the attack works

The attacker intercepts one genuine push approval. Not a hard ask — the interception point is anywhere between the device and Okta's servers: a shared corporate proxy, a malicious mobile-device-management profile, a hostile Wi-Fi network, a jailbroken phone under attacker control. A single intercepted approval is enough.

The attacker then initiates a fresh login against the victim's Okta account while the captured response is still fresh. The victim never sees a second push prompt — because the attacker isn't asking for one. They're replaying the signed response they already have, against the new challenge. The server accepts it. Multi-factor is bypassed without a second user interaction.

Why this matters even if you're not on Classic

Most tenants that migrated to the Okta Identity Engine still have Classic-compatible fallback paths enabled for legacy integrations — older SAML apps, on-prem connectors, custom API clients that haven't been re-certified. The fallback path uses the Classic authentication flow for that session, which means the replay window applies even on an otherwise-modernized tenant.

Check your tenant settings. If you see any entry under "Classic Sign-On Policies" or if any org-scoped app has "Legacy Authentication" toggled on, you still have the exposure. The modernization banner in your admin console is not sufficient evidence that the fallback is off.

The fix

Four steps, in order:

1. Force an Okta Verify app update. Minimum versions: iOS 9.27, Android 9.25. Push the update through your mobile-device-management tool if you have one; otherwise, enforce it via an app-version policy in Okta admin.
2. Complete migration to the Okta Identity Engine. Use the Okta Identity Engine upgrade checklist and set the tenant authentication engine to "Identity Engine only" in admin settings.
3. Disable Classic Sign-On Policies and any legacy-authentication fallback flags. This often requires re-certifying the apps that still depended on them — budget two to three weeks for enterprise tenants with more than 30 SAML integrations.
4. Run a push-replay drill against your staging tenant before declaring the migration done. Tap a legitimate push, capture the signed response through a proxy, and attempt to replay it against a fresh login within 120 seconds. After the fix, this should fail.

How Celvex Sentry catches this

Attack-and-Detect Pairing correlates Okta tenant-type fingerprints — visible from the metadata endpoint — with the SIEM events a replay produces. The scanner proves whether your detection would actually catch the attack rather than pretending it will. If your Okta log pipeline is configured to alert on "same jti, two successful authentications inside 120 seconds," we fire a benign probe that triggers the same pattern and verify the alert arrives. If the alert doesn't arrive, the tenant-policy finding escalates to Critical.

Pen-testers hand you a PDF once a year; Celvex Sentry runs every attack they would, every week, and proves the ones that still work — with a fix attached.