CVE-2026-42177: Linux Entra SSO Auth Bypass Vulnerability

CVE-2026-42177 Overview

CVE-2026-42177 affects linux-entra-sso, a browser plugin for Linux that enables single sign-on (SSO) to Microsoft Entra ID. Versions prior to 1.8.1 contain an improper access control flaw [CWE-284] in the Chrome adapter that can leak the Entra ID Primary Refresh Token (PRT) cookie to attacker-controlled hosts. The Chrome implementation registers a declarativeNetRequest rule with a urlFilter lacking a URL anchor, causing substring matching against the full request URL. When the extension holds broad host permissions, a crafted URL embedding https://login.microsoftonline.com/ in its path causes Chrome to attach the PRT cookie to the outbound request.

Critical Impact

Successful exploitation discloses an Entra ID Primary Refresh Token cookie to an attacker-controlled host, enabling potential session impersonation against Microsoft Entra ID.

Affected Products

• siemens/linux-entra-sso browser plugin (Chrome adapter) prior to version 1.8.1
• Chromium-based browsers loading the extension with optional_host_permissions: ["https://*/*"] granted
• Linux workstations using the plugin for Microsoft Entra ID SSO

Discovery Timeline

• 2026-05-12 - CVE-2026-42177 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-42177

Vulnerability Analysis

The flaw resides in platform/chrome/js/platform-chrome.js:69-88, which registers a single declarativeNetRequest rule. The rule's urlFilter is constructed as Platform.SSO_URL + "/*", producing https://login.microsoftonline.com/*. Chrome treats a urlFilter without a | or || anchor as a substring match against the entire request URL, not an origin-anchored prefix match.

The rule's action is modifyHeaders, which attaches the Entra ID Primary Refresh Token cookie to matching requests. Because matching is substring-based, any URL whose path or query contains the string https://login.microsoftonline.com/ satisfies the filter. The Firefox adapter in platform/firefox/js/platform-firefox.js:53 performs an explicit startsWith(Platform.SSO_URL) validation before injecting the header. The Chrome adapter omits this check.

Root Cause

The root cause is an improper access control decision based on an unanchored substring match [CWE-284]. The extension trusts Chrome's declarativeNetRequest filter to scope the PRT header to legitimate Microsoft login traffic, but the filter syntax used does not enforce origin boundaries. The absence of a defensive origin check in the Chrome code path, present in the Firefox adapter, removes the only remaining safeguard.

Attack Vector

An attacker hosts content at a domain they control and lures the victim to navigate to a URL whose path embeds https://login.microsoftonline.com/, for example https://attacker.example/path/https://login.microsoftonline.com/anything. If the user previously granted the extension broad host permissions declared via optional_host_permissions: ["https://*/*"] in platform/chrome/manifest.json:34, Chrome matches the substring and attaches the PRT cookie to the request to the attacker's server. The attacker receives the PRT cookie and can replay it against Entra ID. Exploitation requires user interaction and a high-complexity setup, reflected in the attack metrics.

No proof-of-concept exploit code is published. Refer to the GitHub Security Advisory for additional technical detail.

Detection Methods for CVE-2026-42177

Indicators of Compromise

• Outbound HTTP requests to non-Microsoft hosts containing the literal substring login.microsoftonline.com in the request path or query string.
• Requests to external domains carrying an x-ms-RefreshTokenCredential header or PRT-bearing cookies in response to user navigation.
• Browser telemetry showing linux-entra-sso versions earlier than 1.8.1 with optional host permissions granted for https://*/*.

Detection Strategies

• Inspect proxy and web gateway logs for URLs where the path or query contains https://login.microsoftonline.com/ but the host is not login.microsoftonline.com.
• Audit installed browser extensions on managed Linux endpoints and flag linux-entra-sso builds below 1.8.1.
• Correlate Entra ID sign-in logs for anomalous PRT usage from unexpected client IPs or user agents.

Monitoring Recommendations

• Enable enterprise browser policy logging to capture declarativeNetRequest rule modifications and extension permission grants.
• Forward browser and proxy telemetry to a centralized analytics platform for substring pattern matching across URLs.
• Alert on Entra ID conditional access anomalies indicating PRT replay from unfamiliar locations.

How to Mitigate CVE-2026-42177

Immediate Actions Required

• Upgrade linux-entra-sso to version 1.8.1 or later on all Linux endpoints where the extension is deployed.
• Revoke any optional host permissions previously granted to the extension if an upgrade cannot be performed immediately.
• Rotate or invalidate Entra ID sessions for users who may have visited untrusted sites while running a vulnerable version.

Patch Information

The maintainers fixed the issue in linux-entra-sso version 1.8.1. The patched Chrome adapter no longer relies solely on Chrome's substring urlFilter to scope PRT cookie injection. See the GitHub Security Advisory GHSA-52rj-42vh-2rxc for the full advisory and commit references.

Workarounds

• Remove the linux-entra-sso extension from affected browsers until the 1.8.1 update is applied.
• Deny the optional host permission https://*/* for the extension and restrict it to https://login.microsoftonline.com/* only.
• Use enterprise browser management to block navigation to URLs whose path components contain embedded Microsoft login URLs.

# Verify installed extension version on Linux Chrome profiles
grep -R '"version"' ~/.config/google-chrome/Default/Extensions/*/manifest.json \
  | grep -i entra-sso

# Enforce minimum version via Chrome enterprise policy (ExtensionSettings)
# /etc/opt/chrome/policies/managed/linux-entra-sso.json
{
  "ExtensionSettings": {
    "<extension-id>": {
      "minimum_version_required": "1.8.1",
      "installation_mode": "force_installed"
    }
  }
}