Skip to main content

Himmelblau CVE-2026-45108

| EUVDEUVD-2026-32633 HIGH
Incorrect Authorization (CWE-863)
2026-05-27 GitHub_M
8.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.4 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch available
May 27, 2026 - 21:04 EUVD
Analysis Generated
May 27, 2026 - 20:37 vuln.today
CVE Published
May 27, 2026 - 18:53 nvd
HIGH 8.4

DescriptionGitHub Advisory

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant (DAG) flow that allowed a user within the same Entra ID domain to obtain a local Unix session as another user by providing their own valid credentials. The vulnerability existed in the token_validate function, which validated domain aliases for legitimate multi-domain scenarios but failed to verify that the local part (username) of the authenticated user's UPN matched the requested account username. The function only compared domains, not the complete usernames. This vulnerability is fixed in 3.1.5 and 2.3.11.

AnalysisAI

Authorization bypass in Himmelblau (the open-source Entra ID/Intune interoperability suite) versions 2.0.0 through 3.1.4 and the 2.3.x branch before 2.3.11 lets any authenticated user in the same Entra ID domain obtain a local Unix login session as a different user by presenting only their own valid credentials. The flaw lives in the token_validate function of the Device Authorization Grant flow, which matched only the domain portion of the User Principal Name and ignored the username (local part), so a low-privileged domain member can impersonate higher-value accounts on the host. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the issue is a confirmed identity-spoofing defect fixed by the vendor.

Technical ContextAI

Himmelblau (vendor himmelblau-idm) bridges Linux hosts to Microsoft Azure Entra ID and Intune, providing PAM/NSS-style authentication so users log into Unix systems with their cloud identities. It uses the OAuth 2.0 Device Authorization Grant (DAG) flow, in which a device obtains an access token tied to a User Principal Name of the form username@domain. The defect is rooted in CWE-863 (Incorrect Authorization): the token_validate routine correctly resolved and compared domain aliases to support legitimate multi-domain/tenant-alias deployments, but it only compared the domain segment of the UPN and never confirmed that the local part - the actual username - of the validated token matched the account the session was being requested for. As a result, possession of any valid token within an accepted domain satisfied the check regardless of which user the token actually belonged to.

RemediationAI

Vendor-released patch: upgrade to Himmelblau 3.1.5 (3.x deployments) or 2.3.11 (2.3.x maintenance line) per advisory GHSA-pmxh-j4r6-88mv (https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-pmxh-j4r6-88mv). There is no documented configuration-only workaround for the username-matching flaw, so patching is the primary control. As interim compensating measures until you can upgrade, restrict which Entra ID accounts are permitted to establish local Unix sessions on sensitive hosts (tighten Himmelblau's allowed-users/groups mapping so far fewer domain members can authenticate), and limit shared multi-user access to high-value systems - the trade-off is reduced login flexibility for legitimate users. Increase auditing of local logins versus the expected user-to-host mapping to detect impersonation, and constrain or review multi-domain alias configurations since the bug is exacerbated where multiple domains/aliases are accepted; tightening alias acceptance may break legitimate cross-domain logins, so validate against your tenant topology before applying.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-45108 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy