CVE-2026-45108: Himmelblau Auth Bypass Vulnerability

CVE-2026-45108 Overview

CVE-2026-45108 is an authentication bypass vulnerability in Himmelblau, an interoperability suite that connects Linux systems to Microsoft Azure Entra ID and Intune. The flaw exists in the Device Authorization Grant (DAG) flow between versions 2.0.0 and 3.1.5 (and the 2.x line before 2.3.11). An authenticated user within the same Entra ID domain can obtain a local Unix session as another user by supplying their own valid credentials. The defect lives in the token_validate function, which only compared UPN domains and ignored the local username portion. The issue is classified under CWE-863: Incorrect Authorization and is fixed in versions 3.1.5 and 2.3.11.

Critical Impact

Any valid Entra ID user in the tenant can authenticate as any other user on a Himmelblau-joined Linux host, breaking the trust boundary between Unix accounts.

Affected Products

• Himmelblau versions 2.0.0 through 3.1.4
• Himmelblau 2.x branch prior to 2.3.11
• Linux hosts joined to Microsoft Entra ID via Himmelblau

Discovery Timeline

• 2026-05-27 - CVE-2026-45108 published to NVD
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-45108

Vulnerability Analysis

Himmelblau brokers authentication between Linux PAM/NSS and Microsoft Entra ID. The Device Authorization Grant flow lets a user complete OAuth 2.0 authentication on a separate device, then returns a token that Himmelblau validates before establishing a local Unix session. The token_validate function is responsible for binding the returned token to the account the user is attempting to log into. The function correctly handled multi-domain tenant scenarios by checking domain aliases. However, it stopped at the domain comparison and never compared the local part of the User Principal Name (UPN) against the requested username.

The result is a confused deputy condition. A user alice@contoso.com can initiate a login as bob on the local system, complete the DAG flow using her own credentials, and receive a token whose domain matches contoso.com. Himmelblau accepts the token as valid for bob because the domain portion satisfies the alias check.

Root Cause

The root cause is incomplete authorization logic in token_validate. The function compared only the domain segment of the authenticated UPN against the requested account, omitting the local username comparison. Authentication and authorization were conflated: a successful token issuance was treated as authorization for any account in the same domain.

Attack Vector

Exploitation requires the attacker to hold valid Entra ID credentials in the target tenant and network reachability to a Himmelblau-joined host. The attacker initiates a local login as the victim account through PAM. When prompted to complete the DAG flow, the attacker authenticates with their own Entra ID credentials. Himmelblau receives a token whose UPN domain matches the target tenant and grants a local Unix session under the victim's identity. No code execution against Entra ID itself is required, and no interaction with the victim is needed.

The attacker now operates with the victim's UID, group memberships, home directory access, and any sudo or file permissions assigned to that account.

Detection Methods for CVE-2026-45108

Indicators of Compromise

• Himmelblau authentication log entries where the authenticated UPN local part does not match the established Unix session username
• Successful PAM session establishment for an account following a DAG flow initiated by a different user identity
• Multiple distinct Entra ID UPNs producing successful logins to the same Unix account in close proximity
• Unexpected interactive logins from accounts that historically authenticate from different workstations or geographies

Detection Strategies

• Parse himmelblaud logs and correlate the preferred_username or UPN claim from issued tokens with the target Unix username on each session start
• Alert when the local part of the authenticated UPN differs from the PAM-requested account, even when the domain matches
• Baseline the expected UPN-to-Unix-username mapping per host and flag deviations
• Cross-reference Entra ID sign-in logs with local Linux authentication events for the same time window

Monitoring Recommendations

• Centralize Linux authentication and himmelblaud daemon logs to a SIEM with retention covering the patch rollout window
• Monitor /var/log/auth.log and journald entries for pam_himmelblau session opens paired with Entra ID token claims
• Track Himmelblau package versions across the fleet to confirm all hosts run 3.1.5 or 2.3.11 or later

How to Mitigate CVE-2026-45108

Immediate Actions Required

• Upgrade all Himmelblau installations to version 3.1.5 or 2.3.11 immediately
• Audit local authentication logs on Himmelblau-joined hosts for cross-user session establishment since deploying any affected version
• Rotate credentials and review session activity for privileged Unix accounts that may have been impersonated
• Restrict interactive login to Himmelblau-joined hosts to a minimum set of users until patches are applied

Patch Information

The vendor fixed CVE-2026-45108 in Himmelblau 3.1.5 and 2.3.11. The patched token_validate function now compares the full UPN, including the local username portion, against the requested account before authorizing a session. Refer to the Himmelblau GHSA-pmxh-j4r6-88mv advisory for release notes and source-level changes.

Workarounds

• Disable the Device Authorization Grant flow in Himmelblau configuration where feasible and require interactive browser-based authentication tied to the local user
• Limit Entra ID group membership that grants login rights to Himmelblau hosts, reducing the pool of potential impersonators
• Apply AllowUsers or pam_access restrictions to enforce a strict allowlist of UPN-to-Unix-username mappings until the upgrade is deployed

# Verify installed Himmelblau version and upgrade
himmelblaud --version

# Debian/Ubuntu
sudo apt update && sudo apt install --only-upgrade himmelblau

# Confirm patched version (3.1.5 or 2.3.11 or later)
himmelblaud --version