CVE-2026-31957 | THREATINT

Description

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 3.0.0 to before 3.1.0, if Himmelblau is deployed without a configured tenant domain in himmelblau.conf, authentication is not tenant-scoped. In this mode, Himmelblau can accept authentication attempts for arbitrary Entra ID domains by dynamically registering providers at runtime. This behavior is intended for initial/local bootstrap scenarios, but it can create risk in remote authentication environments. This vulnerability is fixed in 3.1.0.

PUBLISHED Reserved 2026-03-10 | Published 2026-03-11 | Updated 2026-03-12 | Assigner GitHub_M

CRITICAL: 10.0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-1188: Insecure Default Initialization of Resource

Product status

>= 3.0.0, < 3.1.0

affected

References

github.com/...elblau/security/advisories/GHSA-q746-m2wv-qh4v

cve.org (CVE-2026-31957)

nvd.nist.gov (CVE-2026-31957)

Download JSON