PatchSiren cyber security CVE debrief
CVE-2026-45108 himmelblau-idm CVE debrief
CVE-2026-45108 is a HIGH-severity authentication bypass vulnerability in Himmelblau, an interoperability suite for Microsoft Azure Entra ID and Intune. The flaw exists in the Device Authorization Grant (DAG) flow's token_validate function, which improperly validates user identity by comparing only domain aliases rather than complete usernames. This allows any authenticated user within the same Entra ID domain to obtain a local Unix session as another user by providing their own valid credentials. The vulnerability affects versions 2.0.0 through 3.1.4 and prior to 2.3.11. Fixes are available in versions 3.1.5 and 2.3.11. The vulnerability was published on 2026-05-27 and is tracked as CWE-863 (Incorrect Authorization).
- Vendor
- himmelblau-idm
- Product
- himmelblau
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations using Himmelblau versions 2.0.0 through 3.1.4 or prior to 2.3.11 for Azure Entra ID and Intune integration with Unix systems. Security teams managing identity federation infrastructure, Unix system administrators relying on Himmelblau for authentication, and organizations with multi-user Entra ID domains where user separation is critical. Organizations subject to compliance requirements for access control and identity verification should prioritize patching.
Technical summary
The vulnerability resides in Himmelblau's token_validate function used during the Device Authorization Grant (DAG) flow. The function was designed to validate domain aliases to support legitimate multi-domain scenarios, but failed to verify that the local part (username) of the authenticated user's UPN matched the requested account username. By comparing only domains rather than complete usernames, any authenticated user within the same Entra ID domain could authenticate with their own credentials and obtain a Unix session as a different user. This represents an incorrect authorization control (CWE-863) where authentication state is not properly validated against the requested resource access. The fix in versions 3.1.5 and 2.3.11 adds proper validation of the complete username in the UPN comparison.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Himmelblau to version 3.1.5 or 2.3.11 or later to remediate the authentication bypass vulnerability
- Review Unix session logs for unauthorized access attempts where users may have obtained sessions as other accounts within the same Entra ID domain
- Audit Device Authorization Grant flow implementations to ensure complete username validation is enforced, not just domain comparison
- Verify that token_validate function in custom deployments properly compares full UPN (userPrincipalName) including local username portion, not just domain aliases
- Consider implementing additional session validation controls to detect anomalous authentication patterns where credential presentation does not match requested account
- Review access controls for sensitive Unix systems integrated with Himmelblau to ensure principle of least privilege is maintained
Evidence notes
Vulnerability confirmed through GitHub Security Advisory GHSA-pmxh-j4r6-88mv. CVSS 3.1 score of 8.4 reflects network attack vector with high attack complexity, low privileges required, no user interaction, changed scope, and high impact to confidentiality and integrity.
Official resources
-
CVE-2026-45108 CVE record
CVE.org
-
CVE-2026-45108 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27