CVE-2026-31957

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-31957
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 3.0.0 to before 3.1.0, if Himmelblau is deployed without a configured tenant domain in himmelblau.conf, authentication is not tenant-scoped. In this mode, Himmelblau can accept authentication attempts for arbitrary Entra ID domains by dynamically registering providers at runtime. This behavior is intended for initial/local bootstrap scenarios, but it can create risk in remote authentication environments. This vulnerability is fixed in 3.1.0.

10.0 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-q746-m2wv-qh4v Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:himmelblau-idm:himmelblau:*:*:*:*:*:*:*:*
History

No history.

Information

Published : 2026-03-11 20:16

Updated : 2026-03-16 19:39

NVD link : CVE-2026-31957

Mitre link : CVE-2026-31957

CVE.ORG link : CVE-2026-31957

JSON object : View

Products Affected

himmelblau-idm

  • himmelblau
CWE
CWE-1188

Initialization of a Resource with an Insecure Default