CVE-2026-31979
Published: 11 March 2026
Summary
CVE-2026-31979 is a high-severity Link Following (CWE-59) vulnerability in Himmelblau-Idm Himmelblau. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-4 (Information in Shared System Resources).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
CM-6 requires secure configuration settings for system components like the himmelblaud-tasks systemd unit, such as enabling PrivateTmp or equivalent filesystem isolation to prevent exposure to host /tmp and symlink attacks.
SC-4 prevents unauthorized information transfer via shared system resources like /tmp by implementing protections against symlink following and improper link resolution (CWE-59).
AC-6 enforces least privilege on the root-running himmelblaud-tasks daemon, such as privilege dropping or DynamicUser in systemd, limiting the impact of symlink-based privilege escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local symlink attack on predictable /tmp Kerberos cache paths written by a root daemon directly enables exploitation of a software vulnerability for root privilege escalation (CWE-59).
NVD Description
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Prior to 3.1.0 and 2.3.8, the himmelblaud-tasks daemon, running as root, writes Kerberos cache files under /tmp/krb5cc_<uid> without symlink protections. Since commit 87a51ee, PrivateTmp is explicitly removed from…
more
the tasks daemon's systemd hardening, exposing it to the host /tmp. A local user can exploit this via symlink attacks to chown or overwrite arbitrary files, achieving local privilege escalation. This vulnerability is fixed in 3.1.0 and 2.3.8.
Deeper analysisAI
CVE-2026-31979 is a local privilege escalation vulnerability in Himmelblau, an interoperability suite for Microsoft Azure Entra ID and Intune, affecting versions prior to 3.1.0 and 2.3.8. The issue stems from the himmelblaud-tasks daemon, which runs as root and writes Kerberos cache files under the predictable path /tmp/krb5cc_<uid> without symlink protections. Since commit 87a51ee, PrivateTmp has been explicitly removed from the daemon's systemd hardening configuration, exposing it to the host's /tmp directory. Classified as CWE-59 (Improper Link Resolution Before File Access), it carries a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
A local user with low privileges can exploit this vulnerability by creating symlinks in /tmp that point to arbitrary files. When the root himmelblaud-tasks daemon writes to the expected Kerberos cache file paths, it follows the symlinks, allowing the attacker to chown root-owned files or overwrite them with attacker-controlled content. Successful exploitation results in full local privilege escalation to root.
The vulnerability is addressed in Himmelblau releases 3.1.0 and 2.3.8. Additional details on the issue and remediation are available in the GitHub security advisory at https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-44wm-q286-ghq3.
Details
- CWE(s)