Authentication Bypass Vulnerability in Himmelblau for Microsoft Azure Entra ID
CVE-2026-45108

8.4HIGH

Key Information:

Vendor: Himmelblau-idm
Status: Himmelblau
Vendor: CVE Published:; 27 May 2026

🔔 Create Himmelblau-idm Vulnerability Alert

What is CVE-2026-45108?

Himmelblau, an interoperability suite for Microsoft Azure Entra ID and Intune, experienced a vulnerability that allowed users within the same Entra ID domain to bypass authentication measures. This flaw occurred in the Device Authorization Grant (DAG) flow, specifically in the token_validate function. The function failed to properly verify if the local part of the authenticated user's UPN matched the intended account username, leading to potential unauthorized access to local Unix sessions. The issue has been addressed in versions 3.1.5 and 2.3.11.

Affected Version(s)

himmelblau >= 2.0.0, < 2.3.11 < 2.0.0, 2.3.11

himmelblau >= 3.0.0-alpha, < 3.1.5 < 3.0.0-alpha, 3.1.5

References

https://github.com/himmelblau-idm/himmelblau/security/adv...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45108 Data

JSON