CVE-2026-45108
Authentication Bypass in Himmelblau Suite via DAG Flow
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| himmelblau | himmelblau | From 2.0.0 (inc) to 3.1.5 (exc) |
| himmelblau | himmelblau | 2.3.11 |
| himmelblau | himmelblau | 3.1.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45108 is an authentication bypass vulnerability in the Device Authorization Grant (DAG) flow of the Himmelblau software, which is used for interoperability with Microsoft Azure Entra ID and Intune.
The flaw exists because the token_validate function only compares domain aliases but fails to verify that the local part (username) of the authenticated user's UPN matches the requested account username.
This allows a user within the same Entra ID domain to impersonate another user's local Unix session by providing their own valid credentials, gaining access to the victim's local files, home directory, and Unix session.
The vulnerability affects versions from 2.0.0 up to before 3.1.5 and 2.3.11 and is fixed in versions 3.1.5 and 2.3.11.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The authentication bypass vulnerability in Himmelblau allows an attacker within the same Entra ID domain to impersonate another user's local Unix session, gaining access to local files and home directories. This unauthorized access to user data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
Because the vulnerability impacts confidentiality and integrity by allowing unauthorized local access, organizations using affected versions of Himmelblau may face compliance risks if sensitive data is exposed or improperly accessed.
Mitigations such as enabling multi-factor authentication, minimizing local sensitive data storage, restricting physical access, and monitoring authentication logs are recommended to reduce compliance risks until patched versions are deployed.
How can this vulnerability impact me? :
This vulnerability allows an attacker within the same Entra ID domain to gain unauthorized access to another user's local Unix session and files by bypassing authentication.
The attacker retains their own Entra token but can access the victim's local environment, potentially leading to confidentiality and integrity breaches of local data.
The vulnerability does not affect cloud resources or Azure services and is limited to local access through the DAG flow.
It is most exploitable when multi-factor authentication (MFA) is disabled or fallback scenarios occur.
- Potential exposure of sensitive local files and user sessions.
- Compromise of local user integrity and confidentiality.
- Increased risk if physical access to the device is not restricted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring authentication logs for signs of mismatched account IDs, where the local Unix session username does not match the authenticated user's UPN local part but shares the same domain.
Administrators should review logs related to the Device Authorization Grant (DAG) flow to identify any instances where a user gains access to another user's local Unix session.
Suggested commands include checking authentication logs on the system, for example using commands like:
- grep or journalctl commands to search for unusual login events or mismatched usernames in /var/log/auth.log or systemd journal.
- Custom scripts to parse logs for discrepancies between the authenticated Entra ID user and the local Unix session user.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Himmelblau to the fixed versions 3.1.5 or 2.3.11 or later, which address the authentication bypass vulnerability.
Other recommended actions are enabling Hello PIN authentication and Multi-Factor Authentication (MFA), as MFA is enabled by default and reduces the risk.
Minimize the storage of sensitive data locally and restrict physical access to systems to reduce the attack surface.
Administrators should verify their configuration settings, especially ensuring that the 'enable_experimental_mfa' option is not set to false, as this increases exploitability.
Continuously monitor authentication logs for signs of suspicious activity related to this vulnerability.