Plattform
azure
Komponente
himmelblau
Behoben in
2.0.1
3.0.1
CVE-2026-34397 describes a conditional local privilege escalation vulnerability found in Himmelblau IDM, an interoperability suite for Microsoft Azure Entra ID and Intune. This edge-case vulnerability allows authenticated users to potentially escalate their privileges on the system. The vulnerability impacts versions 2.0.0-alpha through 3.0.0-alpha, and 3.1.0. A fix is available in version 3.1.1.
An attacker exploiting this vulnerability could gain elevated privileges on a system running vulnerable versions of Himmelblau IDM. The attack requires the attacker to be an authenticated user whose mapped CN/short name exactly matches a privileged local group name, such as 'sudo', 'wheel', 'docker', or 'adm'. If the system uses NSS results for group-based authorization decisions (sudo, polkit, etc.), this can grant the attacker unauthorized access and control. The blast radius is limited to the system where the vulnerable component is running, but successful exploitation could lead to significant data breaches or system compromise.
This CVE was publicly disclosed on 2026-04-01. The vulnerability's conditional nature and reliance on specific group name collisions may limit its widespread exploitation. There are currently no publicly available proof-of-concept exploits. The EPSS score is pending evaluation, but the requirement for a specific CN/short name match suggests a low to medium probability of exploitation.
Organizations heavily reliant on Azure Entra ID and Intune for user management and authentication are at increased risk. Environments with legacy configurations or inconsistent naming conventions for user accounts are particularly vulnerable. Shared hosting environments where user accounts have limited control over their CN/short names may also be affected.
• windows / supply-chain:
Get-WinEvent -LogName Security -Filter "EventID = 4624 -MessageText '*sudo*'"• linux / server:
journalctl | grep -i 'nss_init' | grep -i 'group' • generic web:
curl -I http://<your_himmelblau_idm_url>/ | grep 'Server: Himmelblau IDM' disclosure
Exploit-Status
EPSS
0.01% (2% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34397 is to upgrade Himmelblau IDM to version 3.1.1 or later. If upgrading is not immediately feasible, consider implementing stricter group name policies to prevent CN/short names from matching privileged local group names. Review NSS configuration to ensure group-based authorization decisions are not solely reliant on NSS results. While not a direct fix, restricting sudo/polkit access based on other factors can reduce the impact. After upgrading, confirm the fix by attempting to authenticate with a user whose CN/short name matches a privileged local group name and verifying that privilege escalation fails.
Aktualisieren Sie Himmelblau auf Version 2.3.9 oder höher oder auf Version 3.1.1 oder höher, je nach Ihrer Versionsbranche. Dies behebt die lokale Privilegienerweiterungsvulnerabilität.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34397 is a local privilege escalation vulnerability in Himmelblau IDM, allowing authenticated users to potentially gain elevated privileges through a naming collision.
You are affected if you are using Himmelblau IDM versions 2.0.0-alpha through 3.1.0 and your system relies on NSS for group-based authorization decisions.
Upgrade Himmelblau IDM to version 3.1.1 or later to remediate the vulnerability. Consider stricter naming conventions for user accounts as a temporary workaround.
There is currently no indication of active exploitation of CVE-2026-34397, but it is important to apply the patch promptly.
Refer to the official Himmelblau IDM security advisory for detailed information and updates regarding CVE-2026-34397.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.