Description
linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSO_URL + "/*", i.e. "https://login.microsoftonline.com/*". Chrome's urlFilter without a | or || anchor is substring-matched against the full request URL. The same applied rule action is modifyHeaders that attaches the Entra ID Primary Refresh Token cookie. The Firefox adapter in platform/firefox/js/platform-firefox.js:53 performs a belt-and-braces startsWith(Platform.SSO_URL) check before injecting the header; the Chrome adapter does not. When the extension holds broad host permissions through the optional_host_permissions: ["https://*/*"] declared in platform/chrome/manifest.json:34, a main-frame navigation to a URL whose path embeds https://login.microsoftonline.com/ causes Chrome to attach the PRT cookie to the request to the attacker-controlled host. This vulnerability is fixed in 1.8.1.
Published: 2026-05-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 1.8.1 the linux-entra-sso browser extension registers a Chrome declarativeNetRequest rule that appends the Entra ID Primary Refresh Token cookie to any request whose URL matches the substring "login.microsoftonline.com". Because the rule performs a substring match and the extension declares broad host permissions ("https://*/*"), a navigation to any page that contains that substring in its path causes the PRT cookie to be sent to an attacker‑controlled host. This leakage allows an attacker who can host a malicious web page to retrieve the cookie and potentially hijack the user’s SSO session, gaining unauthorized access to the Microsoft Entra environment.

Affected Systems

The vulnerability affects the Siemens linux-entra-sso browser plugin for Linux, specifically versions prior to 1.8.1. The plugin must be installed with the optional host permissions "https://*/*" and runs on Chromium‑based browsers that support declarativeNetRequest.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate severity. The EPSS score is not provided and the vulnerability is not listed in CISA's KEV catalog, suggesting a lower likelihood of active exploitation. However, the attack surface exists when a user with the extension visits or interacts with a website that embeds the login.microsoftonline.com path; the attacker only needs to host a page that triggers the browser’s request to that path. Exploitation requires user interaction and the presence of the vulnerable plugin, but once the cookie is transmitted it can be used for session hijack and privileged operations within the Entra ID tenant.

Generated by OpenCVE AI on May 12, 2026 at 19:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the linux-entra-sso extension to version 1.8.1 or later, which removes the vulnerable request handling.
  • If upgrading is not immediately possible, modify the extension’s optional host permissions to remove the broad "https://*/*" rule, limiting the plugin to its intended host ranges.
  • Apply network filtering or host‑list blocking to prevent the PRT cookie from being sent to attacker‑controlled domains, providing a temporary containment measure.

Generated by OpenCVE AI on May 12, 2026 at 19:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Siemens
Siemens linux-entra-sso
Vendors & Products Siemens
Siemens linux-entra-sso

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSO_URL + "/*", i.e. "https://login.microsoftonline.com/*". Chrome's urlFilter without a | or || anchor is substring-matched against the full request URL. The same applied rule action is modifyHeaders that attaches the Entra ID Primary Refresh Token cookie. The Firefox adapter in platform/firefox/js/platform-firefox.js:53 performs a belt-and-braces startsWith(Platform.SSO_URL) check before injecting the header; the Chrome adapter does not. When the extension holds broad host permissions through the optional_host_permissions: ["https://*/*"] declared in platform/chrome/manifest.json:34, a main-frame navigation to a URL whose path embeds https://login.microsoftonline.com/ causes Chrome to attach the PRT cookie to the request to the attacker-controlled host. This vulnerability is fixed in 1.8.1.
Title linux-entra-sso: PRT SSO cookie can leak to attacker-controlled hosts when broad host permissions are granted
Weaknesses CWE-284
CWE-436
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Siemens Linux-entra-sso
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T14:37:56.682Z

Reserved: 2026-04-25T01:53:21.582Z

Link: CVE-2026-42177

cve-icon Vulnrichment

Updated: 2026-05-13T14:35:55.088Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T18:17:24.240

Modified: 2026-05-13T16:31:18.790

Link: CVE-2026-42177

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:37:59Z

Weaknesses