Security Vulnerability Report
中文
CVE-2026-34397 CVSS 6.3 MEDIUM

CVE-2026-34397

Published: 2026-04-01 18:16:30
Last Modified: 2026-04-15 17:14:05
Source: [email protected]

Description

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From versions 2.0.0-alpha to before 2.3.9 and 3.0.0-alpha to before 3.1.1, there is a conditional local privilege escalation vulnerability in an edge-case naming collision. Only authenticated himmelblau users whose mapped CN/short name exactly matches a privileged local group name (e.g., "sudo", "wheel", "docker", "adm") can cause the NSS module to resolve that group name to their fake primary group. If the system uses NSS results for group-based authorization decisions (sudo, polkit, etc.), this can grant the attacker the privileges of that group. This issue has been patched in versions 2.3.9 and 3.1.1.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:himmelblau-idm:himmelblau:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:himmelblau-idm:himmelblau:*:*:*:*:*:*:*:* - VULNERABLE
Himmelblau 2.0.0-alpha 至 2.3.9 之前
Himmelblau 3.0.0-alpha 至 3.1.1 之前

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC to check if the current user is resolved as a member of a privileged group (e.g., sudo) # due to the CVE-2026-34397 naming collision. import subprocess import sys def check_vulnerability(): # Define a list of common privileged group names to check privileged_groups = ['sudo', 'wheel', 'docker', 'adm', 'root'] print("[*] Checking group memberships via NSS...") try: # Execute 'id -Gn' to get all group names the current user belongs to result = subprocess.run(['id', '-Gn'], capture_output=True, text=True, check=True) user_groups = set(result.stdout.strip().split()) # Check if any of the user's groups match the privileged list found_privileged = user_groups.intersection(privileged_groups) if found_privileged: print(f"[+] Potential Vulnerability Detected!") print(f"[+] User is resolved in the following privileged groups: {', '.join(found_privileged)}") print(f"[+] All groups: {', '.join(user_groups)}") return True else: print("[-] No privileged group resolution detected via NSS.") print(f"[-] Current groups: {', '.join(user_groups)}") return False except subprocess.CalledProcessError as e: print(f"[!] Error executing command: {e}") return False except Exception as e: print(f"[!] Unexpected error: {e}") return False if __name__ == "__main__": is_vulnerable = check_vulnerability() sys.exit(0 if is_vulnerable else 1)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34397", "sourceIdentifier": "[email protected]", "published": "2026-04-01T18:16:30.330", "lastModified": "2026-04-15T17:14:04.947", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From versions 2.0.0-alpha to before 2.3.9 and 3.0.0-alpha to before 3.1.1, there is a conditional local privilege escalation vulnerability in an edge-case naming collision. Only authenticated himmelblau users whose mapped CN/short name exactly matches a privileged local group name (e.g., \"sudo\", \"wheel\", \"docker\", \"adm\") can cause the NSS module to resolve that group name to their fake primary group. If the system uses NSS results for group-based authorization decisions (sudo, polkit, etc.), this can grant the attacker the privileges of that group. This issue has been patched in versions 2.3.9 and 3.1.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-269"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:himmelblau-idm:himmelblau:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.3.9", "matchCriteriaId": "2CA8DCD5-4749-4670-9B02-25F4829C89AF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:himmelblau-idm:himmelblau:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.1.1", "matchCriteriaId": "09BA6863-CDB1-4212-BB01-8CAB16ABFBE8"}]}]}], "references": [{"url": "https://github.com/himmelblau-idm/himmelblau/releases/tag/2.3.9", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/himmelblau-idm/himmelblau/releases/tag/3.1.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-v7xx-7mqc-g835", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.