CVE

CVE-2026-31957

Himmelblau unset domain configuration can allow any-tenant authentication at first login for remote deployments

CVE

CVE-2026-31957

Himmelblau unset domain configuration can allow any-tenant authentication at first login for remote deployments

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 3.0.0 to before 3.1.0, if Himmelblau is deployed without a configured tenant domain in himmelblau.conf, authentication is not tenant-scoped. In this mode, Himmelblau can accept authentication attempts for arbitrary Entra ID domains by dynamically registering providers at runtime. This behavior is intended for initial/local bootstrap scenarios, but it can create risk in remote authentication environments. This vulnerability is fixed in 3.1.0.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31957.json, https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-q746-m2wv-qh4v, https://nvd.nist.gov/vuln/detail/CVE-2026-31957

Severity

10

CVSS Score

Basic Information

Ecosystem

Base CVSS

EPSS Probability

0.00213%

EPSS Percentile

0.43711%

Introduced Version

f6b4beed26b55d02a81fb064b0a21fb059aa99fe

Fix Available

9079a98b44beb1c4e77215a262b95e6fd44c1dfb

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2026-31957

CVE-2026-31957

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

10

Basic Information

Fix Critical Vulnerabilities Instantly