CVE-2026-31957
Received Received - Intake
Authentication Bypass in Himmelblau Due to Tenant Misconfiguration

Publication date: 2026-03-11

Last updated on: 2026-03-16

Assigner: GitHub, Inc.

Description
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 3.0.0 to before 3.1.0, if Himmelblau is deployed without a configured tenant domain in himmelblau.conf, authentication is not tenant-scoped. In this mode, Himmelblau can accept authentication attempts for arbitrary Entra ID domains by dynamically registering providers at runtime. This behavior is intended for initial/local bootstrap scenarios, but it can create risk in remote authentication environments. This vulnerability is fixed in 3.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31957
EUVD
EUVD-2026-11321
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
himmelblau-idm himmelblau to 3.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-31957 is a critical vulnerability in the Himmelblau identity management system versions 3.0.0 up to but not including 3.1.0. The issue arises when the tenant domain is not configured in the himmelblau.conf file under the [global] section. Without this configuration, authentication is not limited to a specific tenant, allowing Himmelblau to dynamically register authentication providers for any Entra ID domain at runtime.'}, {'type': 'paragraph', 'content': 'This means that authentication attempts from arbitrary tenants can succeed, especially during initial or local bootstrap scenarios, but also in remote authentication environments. The authentication operates on a "first successful tenant wins" basis, which can allow attackers from other tenants to gain unauthorized access.'}, {'type': 'paragraph', 'content': 'The vulnerability is particularly dangerous when host authorization relies on Entra group-based role mappings that grant privileged local access (such as sudo, admin, or root-equivalent privileges). An attacker controlling their own tenant can meet group membership conditions within their tenant and escalate privileges on the host.'}, {'type': 'paragraph', 'content': 'Additionally, during installation, Himmelblau starts before the tenant domain is set, creating a window where unscoped authentication can occur. Tenant/provider details from this period can be cached persistently, allowing continued unauthorized cross-tenant authentication even after the domain is configured.'}] [1]

Impact Analysis

This vulnerability can have severe impacts including unauthorized access and privilege escalation. Attackers from arbitrary tenants can authenticate and gain access to systems they should not have access to.

If your system uses Entra group-based role mappings for local privileges, attackers can exploit this to gain elevated privileges such as sudo, admin, or root-equivalent access.

Because tenant/provider details can be cached, unauthorized access may persist even after the tenant domain is properly configured, making detection and remediation more difficult.

This can lead to compromise of confidentiality, integrity, and availability of your systems, as reflected by the CVSS score of 10.0 (Critical).

Compliance Impact

I don't know

Detection Guidance

To detect this vulnerability, you can use the provided Python script that compares the configured tenant domains in /etc/himmelblau/himmelblau.conf against cached domains in /var/cache/himmelblaud/himmelblau.conf. This script flags unexpected cached domains that indicate unauthorized tenant entries.

Additionally, monitoring authentication and authorization logs for unexpected tenant domains, group mappings, and privileged access grants can help identify potential exploitation.

  • Run the Python detection script to compare configured and cached tenant domains.
  • Check /etc/himmelblau/himmelblau.conf for the tenant domain configuration.
  • Inspect /var/cache/himmelblaud/himmelblau.conf for cached tenant/provider entries.
  • Audit authentication logs (e.g., system auth logs) for unexpected tenant domain authentication attempts.
Mitigation Strategies

Immediate mitigation requires explicitly setting the tenant domain in the himmelblau.conf file under the [global] section (for example, domain = <your domain here>).

After configuring the tenant domain, restart the himmelblaud and himmelblaud-tasks daemons to enforce tenant scoping and prevent dynamic provider registration for arbitrary tenants.

Note that this does not clear previously cached tenant data, so manual audit and cleanup of cached entries in /var/cache/himmelblaud/himmelblau.conf may be necessary.

  • Set the tenant domain explicitly in /etc/himmelblau/himmelblau.conf under [global].
  • Restart the himmelblaud and himmelblaud-tasks services.
  • Avoid exposing remote PAM authentication interfaces (e.g., SSH) until tenant scoping is configured and verified.
  • Do not include privileged groups (sudo, admin, wheel) in Entra-driven local_groups or sudo_groups to prevent privilege escalation.
  • Audit and manually clean up local privileged group memberships.
  • Monitor authentication and authorization logs for unexpected tenant domains and privileged access.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31957. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart