CVE-2026-45108

HIGH

Himmelblau: Authentication Bypass via Cross-User Local Session Impersonation in Device Authorization Grant (DAG) Flow

Title source: cna

Description

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant (DAG) flow that allowed a user within the same Entra ID domain to obtain a local Unix session as another user by providing their own valid credentials. The vulnerability existed in the token_validate function, which validated domain aliases for legitimate multi-domain scenarios but failed to verify that the local part (username) of the authenticated user's UPN matched the requested account username. The function only compared domains, not the complete usernames. This vulnerability is fixed in 3.1.5 and 2.3.11.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-pmxh-j4r6-88mv

Scores

CVSS v3 8.4

EPSS 0.0024

EPSS Percentile 15.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-863

Status published

Products (2)

himmelblau-idm/himmelblau >= 2.0.0, < 2.3.11

himmelblau-idm/himmelblau >= 3.0.0-alpha, < 3.1.5

Published May 27, 2026

Tracked Since May 28, 2026