Himmelblau, an interoperability suite for Microsoft Azure Entra ID and Intune, allows authentication to proceed when the per‑tenant domain configuration is omitted in the configuration file. In this state the software will accept authentication attempts for any Entra ID domain by dynamically creating a provider during the login process. This unscoped behavior enables an attacker to authenticate as a user from any tenant, effectively bypassing tenant isolation. The weakness corresponds to CWE‑1188, "Improper Constrained Use of a Resource." The described impact is the ability for an attacker to gain unauthorized access to user accounts and potentially access data within those tenants without legitimate credentials.

Affected versions are Himmelblau 3.0.0 through, but not including, 3.1.0. The product is himmelblau-idm:himmelblau, identified by the CPE string cpe:2.3:a:himmelblau-idm:himmelblau:*:*:*:*:*:*:*:*.

The CVSS score of 10 indicates critical severity. The EPSS score is less than 1 %, suggesting a low probability of recent exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote: an attacker only needs to trigger the authentication flow against an instance that lacks a configured tenant domain. Once the flaw is triggered, the attacker can log in as any user from any Entra ID tenant, potentially obtaining full access to that tenant’s resources.