CRITICAL🇵🇱 Wersja polska

CVE-2026-31957

CVSS 10.0v3.1pub. 2026-03-11upd. 2026-03-16

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 3.0.0 to before 3.1.0, if Himmelblau is deployed without a configured tenant domain in himmelblau.conf, authentication is not tenant-scoped. In this mode, Himmelblau can accept authentication attempts for arbitrary Entra ID domains by dynamically registering providers at runtime. This behavior is intended for initial/local bootstrap scenarios, but it can create risk in remote authentication environments. This vulnerability is fixed in 3.1.0.

🤖 AI Analysis
How it works

When the tenant domain is not specified in the himmelblau.conf configuration, Himmelblau enters generic mode, in which it dynamically registers authentication providers during system operation. In this mode, the system accepts authentication attempts for any Microsoft Entra ID domain without verification that the domain belongs to the organization's expected tenant. This behavior was designed solely for initial configuration and local bootstrap scenarios, but when left active in a production environment, it becomes a vulnerability.

Impact

An attacker with network access to the system can authenticate using an account from any Microsoft Entra ID domain, potentially gaining unauthorized access to system resources. With a maximum CVSS score of 10.0 (affecting confidentiality, integrity, and availability with changed scope), the consequences may include complete system takeover.

Mitigation & patch

Update Himmelblau to version 3.1.0 or later. Additionally, ensure that the tenant domain is properly configured in the himmelblau.conf file, which restricts authentication only to the proper Entra ID tenant.

Who is affected

Himmelblau versions 3.0.0 to 3.1.0 (exclusive) deployed without a configured tenant domain in the himmelblau.conf file.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Himmelblau Idm Himmelblau

    APP
    Himmelblau-Idm
    < 3.1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-31979HIGH8.8ten sam produkt

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Prior to 3.1.0 and 2.3.8, the...

CVE-2025-54882HIGH7.1ten sam produkt

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. In versions 0.8.0 through 0.9...

CVE-2026-34397MEDIUM6.3ten sam produkt

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From versions 2.0.0-alpha to ...