CVE-2026-34397
Received Received - Intake
Local Privilege Escalation in Himmelblau NSS Module via Naming Collision

Publication date: 2026-04-01

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From versions 2.0.0-alpha to before 2.3.9 and 3.0.0-alpha to before 3.1.1, there is a conditional local privilege escalation vulnerability in an edge-case naming collision. Only authenticated himmelblau users whose mapped CN/short name exactly matches a privileged local group name (e.g., "sudo", "wheel", "docker", "adm") can cause the NSS module to resolve that group name to their fake primary group. If the system uses NSS results for group-based authorization decisions (sudo, polkit, etc.), this can grant the attacker the privileges of that group. This issue has been patched in versions 2.3.9 and 3.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34397
EUVD
EUVD-2026-17983
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
himmelblau-idm himmelblau From 2.0.0 (inc) to 2.3.9 (exc)
himmelblau-idm himmelblau From 3.0.0 (inc) to 3.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The CVE-2026-34397 vulnerability allows authenticated users to escalate privileges locally by exploiting a naming collision in the Himmelblau NSS module, potentially granting unauthorized root-equivalent access.

Such unauthorized privilege escalation can lead to unauthorized access to sensitive data or system controls, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and protection of sensitive information.

However, the provided context and resources do not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these or other common standards and regulations.

Executive Summary

CVE-2026-34397 is a local privilege escalation vulnerability in the Himmelblau interoperability suite for Microsoft Azure Entra ID and Intune. It occurs in the NSS (Name Service Switch) module when there is a naming collision between a user's mapped CN/short name and a privileged local group name such as "sudo", "wheel", "docker", or "adm".

The vulnerability arises because the NSS module fails to apply a critical name-equality check during group lookups, allowing an authenticated user whose CN/short name exactly matches a privileged group name to have their fake primary group resolved as that privileged group. This can cause the system to treat the attacker as a member of that privileged group.

This issue affects Himmelblau versions from 2.0.0-alpha to before 2.3.9 and 3.0.0-alpha to before 3.1.1 and has been patched in versions 2.3.9 and 3.1.1.

Impact Analysis

This vulnerability can allow an authenticated attacker to escalate their privileges on the affected system by gaining membership in privileged local groups such as "sudo" or "wheel".

If the system uses NSS results for group-based authorization decisions (for example, by sudo or polkit), the attacker can gain elevated privileges equivalent to those groups, potentially including root-level access.

The attack requires the attacker to have a CN/short name that exactly matches a privileged group name and the system to be configured with Himmelblau NSS enabled for group lookups.

Detection Guidance

This vulnerability involves a conditional local privilege escalation through a naming collision in the Himmelblau NSS module. Detection involves verifying if any authenticated user has a mapped CN/short name that exactly matches privileged local group names such as "sudo", "wheel", "docker", or "adm".

To detect potential exploitation or presence of this vulnerability on your system, you can check the following:

  • List all local privileged groups (e.g., sudo, wheel, docker, adm) using: getent group sudo wheel docker adm
  • Check if any authenticated Himmelblau users have CN/short names that exactly match these privileged group names.
  • Verify the NSS configuration in /etc/nsswitch.conf to see if Himmelblau is used for group lookups.
  • Review Himmelblau configuration (e.g., himmelblau.conf) to confirm if cn_name_mapping is enabled (true by default).

Since the vulnerability is related to NSS group name resolution, commands like the following may help identify suspicious group mappings or privilege escalations:

  • getent group | grep -E 'sudo|wheel|docker|adm' # To list privileged groups and their members
  • id <username> # To check group memberships of specific users
  • grep himmelblau /etc/nsswitch.conf # To confirm Himmelblau NSS module usage
Mitigation Strategies

Immediate mitigation steps for CVE-2026-34397 focus on preventing the name collision exploitation in the Himmelblau NSS module.

  • Upgrade Himmelblau to version 2.3.9 or later (including 3.1.1), where the vulnerability has been patched.
  • Temporarily disable the cn_name_mapping option by setting cn_name_mapping = false in the Himmelblau configuration to prevent short-name-to-UPN mapping and avoid the collision.
  • Configure NSS to prioritize local files (/etc/group) before Himmelblau for group lookups in /etc/nsswitch.conf to reduce risk, though this may vary by NSS implementation and application.
  • Administrators should specify group names by Object ID GUID or GID rather than by name in authorization configurations to avoid ambiguity.

These steps help prevent attackers from exploiting the naming collision to escalate privileges until the patched versions are deployed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34397. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart