Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant (DAG) flow that allowed a user within the same Entra ID domain to obtain a local Unix session as another user by providing their own valid credentials. The vulnerability existed in the token_validate function, which validated domain aliases for legitimate multi-domain scenarios but failed to verify that the local part (username) of the authenticated user's UPN matched the requested account username. The function only compared domains, not the complete usernames. This vulnerability is fixed in 3.1.5 and 2.3.11.
AnalysisAI
Authorization bypass in Himmelblau (the open-source Entra ID/Intune interoperability suite) versions 2.0.0 through 3.1.4 and the 2.3.x branch before 2.3.11 lets any authenticated user in the same Entra ID domain obtain a local Unix login session as a different user by presenting only their own valid credentials. The flaw lives in the token_validate function of the Device Authorization Grant flow, which matched only the domain portion of the User Principal Name and ignored the username (local part), so a low-privileged domain member can impersonate higher-value accounts on the host. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the issue is a confirmed identity-spoofing defect fixed by the vendor.
Technical ContextAI
Himmelblau (vendor himmelblau-idm) bridges Linux hosts to Microsoft Azure Entra ID and Intune, providing PAM/NSS-style authentication so users log into Unix systems with their cloud identities. It uses the OAuth 2.0 Device Authorization Grant (DAG) flow, in which a device obtains an access token tied to a User Principal Name of the form username@domain. The defect is rooted in CWE-863 (Incorrect Authorization): the token_validate routine correctly resolved and compared domain aliases to support legitimate multi-domain/tenant-alias deployments, but it only compared the domain segment of the UPN and never confirmed that the local part - the actual username - of the validated token matched the account the session was being requested for. As a result, possession of any valid token within an accepted domain satisfied the check regardless of which user the token actually belonged to.
RemediationAI
Vendor-released patch: upgrade to Himmelblau 3.1.5 (3.x deployments) or 2.3.11 (2.3.x maintenance line) per advisory GHSA-pmxh-j4r6-88mv (https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-pmxh-j4r6-88mv). There is no documented configuration-only workaround for the username-matching flaw, so patching is the primary control. As interim compensating measures until you can upgrade, restrict which Entra ID accounts are permitted to establish local Unix sessions on sensitive hosts (tighten Himmelblau's allowed-users/groups mapping so far fewer domain members can authenticate), and limit shared multi-user access to high-value systems - the trade-off is reduced login flexibility for legitimate users. Increase auditing of local logins versus the expected user-to-host mapping to detect impersonation, and constrain or review multi-domain alias configurations since the bug is exacerbated where multiple domains/aliases are accepted; tightening alias acceptance may break legitimate cross-domain logins, so validate against your tenant topology before applying.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SLES-CHOST-BYOS-Azure | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32633