CVE-2026-31957

Critical

Published: 11 March 2026

Published

11 March 2026

Modified

16 March 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0027 50.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 3.0.0 to before 3.1.0, if Himmelblau is deployed without a configured tenant domain in himmelblau.conf, authentication is not tenant-scoped. In this mode, Himmelblau can accept authentication attempts…

for arbitrary Entra ID domains by dynamically registering providers at runtime. This behavior is intended for initial/local bootstrap scenarios, but it can create risk in remote authentication environments. This vulnerability is fixed in 3.1.0.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces tenant-scoped access controls to prevent Himmelblau from accepting authentication attempts for arbitrary Entra ID domains.

IA-13 Identity Providers and Authorization Servers good match

prevent

Restricts use of identity providers to organization-defined ones, blocking dynamic runtime registration of arbitrary Entra ID providers.

CM-6 Configuration Settings good match

prevent

Mandates secure configuration settings including tenant domain in himmelblau.conf to enable proper authentication scoping.

Security SummaryAI

CVE-2026-31957, published on 2026-03-11, affects Himmelblau, an interoperability suite for Microsoft Azure Entra ID and Intune, in versions from 3.0.0 up to but not including 3.1.0. The vulnerability occurs when Himmelblau is deployed without a configured tenant domain in himmelblau.conf, resulting in authentication that is not tenant-scoped. In this mode, the software accepts authentication attempts for arbitrary Entra ID domains by dynamically registering providers at runtime. This behavior, designed for initial or local bootstrap scenarios, introduces risks in remote authentication environments. It carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-1188.

A network-based attacker requires no privileges, no user interaction, and low attack complexity to exploit this issue. By directing authentication attempts to an affected Himmelblau instance lacking tenant scoping, the attacker can use credentials from arbitrary Entra ID domains, bypassing intended tenant isolation and potentially gaining unauthorized access to the suite's interoperability functions with Entra ID and Intune.

The vulnerability is addressed in Himmelblau version 3.1.0. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-q746-m2wv-qh4v.

Details

CWE(s): CWE-1188

Affected Products

himmelblau-idm

himmelblau

≤ 3.1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability in the Himmelblau interoperability suite enables network-based exploitation of a public-facing authentication service, allowing attackers to bypass tenant isolation using credentials from arbitrary Entra ID domains, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-q746-m2wv-qh4v
Mitigation, Vendor Advisory · security-advisories@github.com