CVE-2026-31957 - Vulnerability Analysis

Overview

Himmelblau 3.0.0 to < 3.1.0 contains a broken authentication caused by lack of tenant domain configuration in himmelblau.conf, letting attackers authenticate with arbitrary Entra ID domains, exploit requires misconfiguration without tenant domain.

Severity & Score

Impact

Attackers can authenticate as arbitrary Entra ID domains, potentially bypassing tenant restrictions and gaining unauthorized access.

Mitigation

Upgrade to version 3.1.0 or later.

References

• https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-q746-m2wv-qh4v

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 12, 2026

⚠️ CRITICAL: CVE-2026-31957 in himmelblau-idm (3.0.0-<3.1.0) lets attackers bypass Azure Entra ID tenant isolation if tenant domain isn't set. Upgrade to 3.1.0+ & enforce config! Details: https://radar.offseq.com/threat/cve-2026-31957-cwe-1188-insecure-default-initializ-e7809765 #OffSeq #Azure #CVE202631957 #InfoSec

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner