CVE-2026-45108 Himmelblau: Authentication Bypass via Cross-User Local Session Impersonation in Device Authorization Grant (DAG) Flow

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant DAG flow that allowed a user within the same Entra ID domain to obtain a local Unix...

PT-2026-44079

Name of the Vulnerable Software and Affected Versions Himmelblau versions 2.0.0 through 3.1.4 Himmelblau versions prior to 2.3.11 Description An authentication bypass exists in the Device Authorization Grant DAG flow, which is a process allowing devices with limited input capabilities to be...

SUSE SLES16 Security Update : himmelblau (SUSE-SU-2026:21437-1)

The remote SUSE Linux SLES16 / SLESSAP16 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:21437-1 advisory. Update to version 2.3.9+git0.a9fd29b. Security issues fixed: - CVE-2026-34397: Fixed naming collision that can lead to local privilege...

Security update for himmelblau (moderate)

openSUSE security update: security update for himmelblau ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20658-1 Rating: moderate References: bsc1261324 bsc1261613 Cross-References: CVE-2026-34397 CVSS scores: CVE-2026-34397 SUSE : 6.3...

OPENSUSE-SU-2026:20658-1 Security update for himmelblau

This update for himmelblau fixes the following issues: Update to version 2.3.9+git0.a9fd29b. Security issues fixed: - CVE-2026-34397: Fixed naming collision that can lead to local privilege escalation bsc1261324. Other updates and bugfixes: - update aws-lc-sys to 0.39.0 for security fixes - updat...

SUSE-SU-2026:21437-1 Security update for himmelblau

This update for himmelblau fixes the following issues: Update to version 2.3.9+git0.a9fd29b. Security issues fixed: - CVE-2026-34397: Fixed naming collision that can lead to local privilege escalation bsc1261324. Other updates and bugfixes: - update aws-lc-sys to 0.39.0 for security fixes - updat...

Security update for himmelblau

This update for himmelblau fixes the following issues: Update to version 2.3.9+git0.a9fd29b; jscPED-14511: CVE-2026-34397: Fix LPE due to name collision during NSS fake-primary group lookup bsc1261324. CVE-2026-31979: Fix race condition when accessiung /tmp/krb5ccuid bsc1259548. CVE-2026-25727:...

openSUSE 16 : Feature update for himmelblau (SUSE-SU-openSUSE-FU-2026:20453-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-openSUSE-FU-2026:20453-1 advisory. Update to himmelblau 2.3.8 jscPED-14511: Security issues: - CVE-2025-54882: world readable cloud TGT token bsc1247735. - CVE-2025-58160:...

OPENSUSE-SU-2026:10483-1 himmelblau-2.3.9+git0.a9fd29b-1.1 on GA media

These are all security issues fixed in the himmelblau-2.3.9+git0.a9fd29b-1.1 package on the GA media of openSUSE Tumbleweed...

SUSE CVE-2026-34397

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From versions 2.0.0-alpha to before 2.3.9 and 3.0.0-alpha to before 3.1.1, there is a conditional local privilege escalation vulnerability in an edge-case naming collision. Only authenticated himmelblau users whose...

CVE-2026-34397 himmelblau: NSS fake-primary group lookup reintroduces name collision risk

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From versions 2.0.0-alpha to before 2.3.9 and 3.0.0-alpha to before 3.1.1, there is a conditional local privilege escalation vulnerability in an edge-case naming collision. Only authenticated himmelblau users whose...

CVE-2026-34397

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From versions 2.0.0-alpha to before 2.3.9 and 3.0.0-alpha to before 3.1.1, there is a conditional local privilege escalation vulnerability in an edge-case naming collision. Only authenticated himmelblau users whose...

EUVD-2026-17983

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From versions 2.0.0-alpha to before 2.3.9 and 3.0.0-alpha to before 3.1.1, there is a conditional local privilege escalation vulnerability in an edge-case naming collision. Only authenticated himmelblau users whose...

CVE-2026-34397

Himmelblau (versions 2.0.0-alpha–before 2.3.9 and 3.0.0-alpha–before 3.1.1) contains a conditional local privilege escalation caused by an edge-case naming collision in NSS fake-primary group lookup. Authenticated users whose mapped CN/short name exactly matches a privileged local group name (e.g...

OPENSUSE-FU-2026:20453-1 Feature update for himmelblau

This update for himmelblau fixes the following issues: Update to himmelblau 2.3.8 jscPED-14511: Security issues: - CVE-2025-54882: world readable cloud TGT token bsc1247735. - CVE-2025-58160: tracing-subscriber: Tracing log pollution bsc1249013. - CVE-2026-25727: time: parsing of user-provided...

himmelblau-2.3.8+git0.dec3693-1.1 on GA media (moderate)

himmelblau-2.3.8+git0.dec3693-1.1 on GA media Announcement ID: openSUSE-SU-2026:10328-1 Rating: moderate Cross-References: CVE-2026-31979 Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be installed. Description: These are all security issues fixed in the...

OPENSUSE-SU-2026:10328-1 himmelblau-2.3.8+git0.dec3693-1.1 on GA media

These are all security issues fixed in the himmelblau-2.3.8+git0.dec3693-1.1 package on the GA media of openSUSE Tumbleweed...

CVE-2026-31957

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 3.0.0 to before 3.1.0, if Himmelblau is deployed without a configured tenant domain in himmelblau.conf, authentication is not tenant-scoped. In this mode, Himmelblau can accept authentication attempts for...

CVE-2026-31957

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 3.0.0 to before 3.1.0, if Himmelblau is deployed without a configured tenant domain in himmelblau.conf, authentication is not tenant-scoped. In this mode, Himmelblau can accept authentication attempts for...

openSUSE 16 Security Update : himmelblau (openSUSE-SU-2025-20114-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2025-20114-1 advisory. - Update to version 0.9.23+git.0.9776141: CVE-2025-59044: Fixed GID collision of same-name groups allowing privilege escalation bsc1250687...