Description
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From versions 2.0.0-alpha to before 2.3.9 and 3.0.0-alpha to before 3.1.1, there is a conditional local privilege escalation vulnerability in an edge-case naming collision. Only authenticated himmelblau users whose mapped CN/short name exactly matches a privileged local group name (e.g., "sudo", "wheel", "docker", "adm") can cause the NSS module to resolve that group name to their fake primary group. If the system uses NSS results for group-based authorization decisions (sudo, polkit, etc.), this can grant the attacker the privileges of that group. This issue has been patched in versions 2.3.9 and 3.1.1.
Published: 2026-04-01
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows an authenticated user to gain elevated privileges by exploiting a naming collision in the NSS module. When a user’s mapped CN or short name matches that of a privileged local group—such as "sudo", "wheel" or "docker"—the NSS module mistakenly resolves the group name to the user’s fake primary group. If a system performs group‑based authorization decisions using NSS results, the attacker can inherit the privileges of the target group, effectively escalating locally.

Affected Systems

The affected product is the Himmelblau suite from himmelblau‑idm. Versions from 2.0.0‑alpha through just before 2.3.9 and from 3.0.0‑alpha through just before 3.1.1 are compromised, while the patched releases 2.3.9 and 3.1.1 contain the fix.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. No EPSS score is available, so the exact exploitation likelihood is uncertain. The vulnerability is not listed in the CISA KEV catalog, but the attack vector is local and requires authentication; any system that relies on NSS for group‑based authorization is at risk. The impact is the ability to acquire privileges of a privileged local group.

Generated by OpenCVE AI on April 2, 2026 at 03:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch by upgrading to Himmelblau 2.3.9 or newer, or 3.1.1 or newer, depending on the branch in use.
  • Confirm the upgrade by checking the installed version and testing group membership resolution.

Generated by OpenCVE AI on April 2, 2026 at 03:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:himmelblau-idm:himmelblau:*:*:*:*:*:*:*:*

Sat, 04 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Himmelblau-idm
Himmelblau-idm himmelblau
Vendors & Products Himmelblau-idm
Himmelblau-idm himmelblau

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From versions 2.0.0-alpha to before 2.3.9 and 3.0.0-alpha to before 3.1.1, there is a conditional local privilege escalation vulnerability in an edge-case naming collision. Only authenticated himmelblau users whose mapped CN/short name exactly matches a privileged local group name (e.g., "sudo", "wheel", "docker", "adm") can cause the NSS module to resolve that group name to their fake primary group. If the system uses NSS results for group-based authorization decisions (sudo, polkit, etc.), this can grant the attacker the privileges of that group. This issue has been patched in versions 2.3.9 and 3.1.1.
Title himmelblau: NSS fake-primary group lookup reintroduces name collision risk
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Himmelblau-idm Himmelblau
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-04T03:05:13.451Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34397

cve-icon Vulnrichment

Updated: 2026-04-04T03:04:50.577Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T18:16:30.330

Modified: 2026-04-15T17:14:04.947

Link: CVE-2026-34397

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:17:06Z

Weaknesses