CVE-2026-45108 - Vulnerability Details

Description

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant (DAG) flow that allowed a user within the same Entra ID domain to obtain a local Unix session as another user by providing their own valid credentials. The vulnerability existed in the token_validate function, which validated domain aliases for legitimate multi-domain scenarios but failed to verify that the local part (username) of the authenticated user's UPN matched the requested account username. The function only compared domains, not the complete usernames. This vulnerability is fixed in 3.1.5 and 2.3.11.

Published: 2026-05-27

Score: 8.4 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in Himmelblau’s token validation routine used during the Device Authorization Grant flow. When a user authenticates with valid credentials, the system validates only the domain component of the user principal name, neglecting to compare the username part. This allows a legitimate user within the same Azure Entra ID domain to request a token for any other local account and obtain a local Unix session as that target account, effectively bypassing authentication and gaining unauthorized local privileges. The flaw represents a classic improper authorization error (CWE‑863).

Affected Systems

The affected product is Himmelblau IDM from Himmelblau‑IDM. Versions 2.0.0 through before 3.1.5 and 2.3.11 contain the flaw. The fix is available in 3.1.5 and 2.3.11 and later releases.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity of this unauthorized local session takeover. The EPSS score is unavailable, so exploitation likelihood cannot be quantified from an EPSS perspective. This vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires the attacker to be a legitimate user in the same Entra ID domain and to possess valid credentials; no additional network exposure is required beyond the normal DAG flow. Once the flaw is exploited, the attacker can run arbitrary commands as the impersonated local user and potentially access confidential local data or further pivot within the host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

himmelblau-idm

himmelblau

affected

Version	Status	Constraints
`>= 2.0.0, < 2.3.11`	affected	—
`>= 3.0.0-alpha, < 3.1.5`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Himmelblau IDM to version 3.1.5 or 2.3.11 or any later release that includes the token_validate fix
Restrict or disable the Device Authorization Grant flow for users who should not have the ability to request tokens for arbitrary local accounts until the upgrade is applied
Confirm that the token validation logic checks the full user principal name—including both domain and local part—before granting access

Generated by OpenCVE AI on May 27, 2026 at 20:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-pmxh-j4r6-88mv

History

Wed, 27 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant (DAG) flow that allowed a user within the same Entra ID domain to obtain a local Unix session as another user by providing their own valid credentials. The vulnerability existed in the token_validate function, which validated domain aliases for legitimate multi-domain scenarios but failed to verify that the local part (username) of the authenticated user's UPN matched the requested account username. The function only compared domains, not the complete usernames. This vulnerability is fixed in 3.1.5 and 2.3.11.
Title		Himmelblau: Authentication Bypass via Cross-User Local Session Impersonation in Device Authorization Grant (DAG) Flow
Weaknesses		CWE-863
References		https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-pmxh-j4r6-88mv
Metrics		cvssV3_1 `{'score': 8.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T18:53:29.232Z

Updated: 2026-05-27T18:53:29.232Z

Reserved: 2026-05-08T19:27:26.699Z

Link: CVE-2026-45108

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-27T20:16:38.550

Modified: 2026-05-27T20:16:38.550

Link: CVE-2026-45108

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T21:00:14Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object