Himmelblau: Unsecured Authentication Exposes Data in Remote Environments

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

10.0

Himmelblau: Unsecured Authentication Exposes Data in Remote Environments

CVE-2026-31957

Summary

Himmelblau's authentication system is not properly configured for remote use, potentially allowing unauthorized access to Entra ID domains. This poses a risk to sensitive data. Update Himmelblau to version 3.1.0 to resolve the issue.

Original title

Original description

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 3.0.0 to before 3.1.0, if Himmelblau is deployed without a configured tenant domain in himmelblau.conf, authentication is not tenant-scoped. In this mode, Himmelblau can accept authentication attempts for arbitrary Entra ID domains by dynamically registering providers at runtime. This behavior is intended for initial/local bootstrap scenarios, but it can create risk in remote authentication environments. This vulnerability is fixed in 3.1.0.

nvd CVSS3.1 10.0

Vulnerability type

CWE-1188

https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-q746-m2wv-...

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026