CVE-2026-45108
Deferred Deferred - Pending Action
Authentication Bypass in Himmelblau Suite via DAG Flow

Publication date: 2026-05-27

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant (DAG) flow that allowed a user within the same Entra ID domain to obtain a local Unix session as another user by providing their own valid credentials. The vulnerability existed in the token_validate function, which validated domain aliases for legitimate multi-domain scenarios but failed to verify that the local part (username) of the authenticated user's UPN matched the requested account username. The function only compared domains, not the complete usernames. This vulnerability is fixed in 3.1.5 and 2.3.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-01
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45108
EUVD
EUVD-2026-32633
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
himmelblau himmelblau From 2.0.0 (inc) to 3.1.5 (exc)
himmelblau himmelblau 2.3.11
himmelblau himmelblau 3.1.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The authentication bypass vulnerability in Himmelblau allows an attacker within the same Entra ID domain to impersonate another user's local Unix session, gaining access to local files and home directories. This unauthorized access to user data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Because the vulnerability impacts confidentiality and integrity by allowing unauthorized local access, organizations using affected versions of Himmelblau may face compliance risks if sensitive data is exposed or improperly accessed.

Mitigations such as enabling multi-factor authentication, minimizing local sensitive data storage, restricting physical access, and monitoring authentication logs are recommended to reduce compliance risks until patched versions are deployed.

Executive Summary

CVE-2026-45108 is an authentication bypass vulnerability in the Device Authorization Grant (DAG) flow of the Himmelblau software, which is used for interoperability with Microsoft Azure Entra ID and Intune.

The flaw exists because the token_validate function only compares domain aliases but fails to verify that the local part (username) of the authenticated user's UPN matches the requested account username.

This allows a user within the same Entra ID domain to impersonate another user's local Unix session by providing their own valid credentials, gaining access to the victim's local files, home directory, and Unix session.

The vulnerability affects versions from 2.0.0 up to before 3.1.5 and 2.3.11 and is fixed in versions 3.1.5 and 2.3.11.

Impact Analysis

This vulnerability allows an attacker within the same Entra ID domain to gain unauthorized access to another user's local Unix session and files by bypassing authentication.

The attacker retains their own Entra token but can access the victim's local environment, potentially leading to confidentiality and integrity breaches of local data.

The vulnerability does not affect cloud resources or Azure services and is limited to local access through the DAG flow.

It is most exploitable when multi-factor authentication (MFA) is disabled or fallback scenarios occur.

  • Potential exposure of sensitive local files and user sessions.
  • Compromise of local user integrity and confidentiality.
  • Increased risk if physical access to the device is not restricted.
Detection Guidance

This vulnerability can be detected by monitoring authentication logs for signs of mismatched account IDs, where the local Unix session username does not match the authenticated user's UPN local part but shares the same domain.

Administrators should review logs related to the Device Authorization Grant (DAG) flow to identify any instances where a user gains access to another user's local Unix session.

Suggested commands include checking authentication logs on the system, for example using commands like:

  • grep or journalctl commands to search for unusual login events or mismatched usernames in /var/log/auth.log or systemd journal.
  • Custom scripts to parse logs for discrepancies between the authenticated Entra ID user and the local Unix session user.
Mitigation Strategies

Immediate mitigation steps include updating Himmelblau to the fixed versions 3.1.5 or 2.3.11 or later, which address the authentication bypass vulnerability.

Other recommended actions are enabling Hello PIN authentication and Multi-Factor Authentication (MFA), as MFA is enabled by default and reduces the risk.

Minimize the storage of sensitive data locally and restrict physical access to systems to reduce the attack surface.

Administrators should verify their configuration settings, especially ensuring that the 'enable_experimental_mfa' option is not set to false, as this increases exploitability.

Continuously monitor authentication logs for signs of suspicious activity related to this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45108. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart