CVE-2026-31957
Published: 11 March 2026
Summary
CVE-2026-31957 is a critical-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Himmelblau-Idm Himmelblau. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces tenant-scoped access controls to prevent Himmelblau from accepting authentication attempts for arbitrary Entra ID domains.
Restricts use of identity providers to organization-defined ones, blocking dynamic runtime registration of arbitrary Entra ID providers.
Mandates secure configuration settings including tenant domain in himmelblau.conf to enable proper authentication scoping.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the Himmelblau interoperability suite enables network-based exploitation of a public-facing authentication service, allowing attackers to bypass tenant isolation using credentials from arbitrary Entra ID domains, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 3.0.0 to before 3.1.0, if Himmelblau is deployed without a configured tenant domain in himmelblau.conf, authentication is not tenant-scoped. In this mode, Himmelblau can accept authentication attempts…
more
for arbitrary Entra ID domains by dynamically registering providers at runtime. This behavior is intended for initial/local bootstrap scenarios, but it can create risk in remote authentication environments. This vulnerability is fixed in 3.1.0.
Deeper analysisAI
CVE-2026-31957, published on 2026-03-11, affects Himmelblau, an interoperability suite for Microsoft Azure Entra ID and Intune, in versions from 3.0.0 up to but not including 3.1.0. The vulnerability occurs when Himmelblau is deployed without a configured tenant domain in himmelblau.conf, resulting in authentication that is not tenant-scoped. In this mode, the software accepts authentication attempts for arbitrary Entra ID domains by dynamically registering providers at runtime. This behavior, designed for initial or local bootstrap scenarios, introduces risks in remote authentication environments. It carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-1188.
A network-based attacker requires no privileges, no user interaction, and low attack complexity to exploit this issue. By directing authentication attempts to an affected Himmelblau instance lacking tenant scoping, the attacker can use credentials from arbitrary Entra ID domains, bypassing intended tenant isolation and potentially gaining unauthorized access to the suite's interoperability functions with Entra ID and Intune.
The vulnerability is addressed in Himmelblau version 3.1.0. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-q746-m2wv-qh4v.
Details
- CWE(s)