{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31979", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T15:40:10.487Z", "datePublished": "2026-03-11T19:47:05.935Z", "dateUpdated": "2026-03-11T20:07:29.194Z"}, "containers": {"cna": {"title": "himmelblaud-tasks: local privilege escalation via /tmp symlink attack on Kerberos ccache", "problemTypes": [{"descriptions": [{"cweId": "CWE-59", "lang": "en", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-44wm-q286-ghq3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-44wm-q286-ghq3"}], "affected": [{"vendor": "himmelblau-idm", "product": "himmelblau", "versions": [{"version": ">= 1.0.0, < 2.3.8", "status": "affected"}, {"version": ">= 3.0.0-alpha, < 3.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:47:05.935Z"}, "descriptions": [{"lang": "en", "value": "Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Prior to 3.1.0 and 2.3.8, the himmelblaud-tasks daemon, running as root, writes Kerberos cache files under /tmp/krb5cc_<uid> without symlink protections. Since commit 87a51ee, PrivateTmp is explicitly removed from the tasks daemon's systemd hardening, exposing it to the host /tmp. A local user can exploit this via symlink attacks to chown or overwrite arbitrary files, achieving local privilege escalation. This vulnerability is fixed in 3.1.0 and 2.3.8."}], "source": {"advisory": "GHSA-44wm-q286-ghq3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T20:07:04.015032Z", "id": "CVE-2026-31979", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T20:07:29.194Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31979", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T20:07:04.015032Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T20:07:25.505Z"}}], "cna": {"title": "himmelblaud-tasks: local privilege escalation via /tmp symlink attack on Kerberos ccache", "source": {"advisory": "GHSA-44wm-q286-ghq3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "himmelblau-idm", "product": "himmelblau", "versions": [{"status": "affected", "version": ">= 1.0.0, < 2.3.8"}, {"status": "affected", "version": ">= 3.0.0-alpha, < 3.1.0"}]}], "references": [{"url": "https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-44wm-q286-ghq3", "name": "https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-44wm-q286-ghq3", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Prior to 3.1.0 and 2.3.8, the himmelblaud-tasks daemon, running as root, writes Kerberos cache files under /tmp/krb5cc_<uid> without symlink protections. Since commit 87a51ee, PrivateTmp is explicitly removed from the tasks daemon's systemd hardening, exposing it to the host /tmp. A local user can exploit this via symlink attacks to chown or overwrite arbitrary files, achieving local privilege escalation. This vulnerability is fixed in 3.1.0 and 2.3.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:47:05.935Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31979", "state": "PUBLISHED", "dateUpdated": "2026-03-11T20:07:29.194Z", "dateReserved": "2026-03-10T15:40:10.487Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T19:47:05.935Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:himmelblau-idm:himmelblau:*:*:*:*:*:*:*:*", "matchCriteriaId": "C66E65F5-D68D-43EC-B26B-7680565AA1DD", "versionEndExcluding": "2.3.8", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:himmelblau-idm:himmelblau:*:*:*:*:*:*:*:*", "matchCriteriaId": "1484B22D-EA09-40C2-B943-0EEAB8D2FA99", "versionEndExcluding": "3.1.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Prior to 3.1.0 and 2.3.8, the himmelblaud-tasks daemon, running as root, writes Kerberos cache files under /tmp/krb5cc_<uid> without symlink protections. Since commit 87a51ee, PrivateTmp is explicitly removed from the tasks daemon's systemd hardening, exposing it to the host /tmp. A local user can exploit this via symlink attacks to chown or overwrite arbitrary files, achieving local privilege escalation. This vulnerability is fixed in 3.1.0 and 2.3.8."}, {"lang": "es", "value": "Himmelblau es una suite de interoperabilidad para Microsoft Azure Entra ID e Intune. Antes de las versiones 3.1.0 y 2.3.8, el demonio himmelblaud-tasks, ejecut\u00e1ndose como root, escribe archivos de cach\u00e9 de Kerberos bajo /tmp/krb5cc_ sin protecciones de enlaces simb\u00f3licos. Desde el commit 87a51ee, PrivateTmp se elimina expl\u00edcitamente del endurecimiento de systemd del demonio de tareas, exponi\u00e9ndolo al /tmp del host. Un usuario local puede explotar esto mediante ataques de enlaces simb\u00f3licos para cambiar el propietario (chown) o sobrescribir archivos arbitrarios, logrando una escalada de privilegios local. Esta vulnerabilidad est\u00e1 corregida en las versiones 3.1.0 y 2.3.8."}], "id": "CVE-2026-31979", "lastModified": "2026-03-16T18:18:34.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-11T20:16:17.607", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-44wm-q286-ghq3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,2.3.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0-alpha,3.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "himmelblau", "source": "cna", "vendor": "himmelblau-idm"}, "product": "himmelblau", "vendor": "himmelblau-idm"}], "analysis": {"en": {"generated_at": "2026-03-17T15:45:44.487952+00:00", "value": {"mitigation_remediation": ["Apply the latest patch that includes version 3.1.0 or 2.3.8 of the himmelblaud-tasks daemon. Check the vendor advisory for any additional steps."], "summary": {"action": "Immediate Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "himmelblau-idm provides the himmelblau product. Versions prior to 3.1.0 and 2.3.8 of the himmelblaud\u2011tasks component are vulnerable. Users on these releases should upgrade.", "description_and_impact": "The himmelblaud-tasks daemon, which runs as root, creates Kerberos cache files in /tmp/krb5cc_\\<uid> without protection against symlink attacks. The removal of PrivateTmp exposes this directory to the host, allowing a local user to create a symlink to an arbitrary file, change its ownership or overwrite it during cache creation. This flaw enables an attacker with local access to gain root privileges on the host. The weakness corresponds to CWE\u201159: Improper Restriction of Operations within the Bounds of a Resource.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.8 indicating high severity. The EPSS score is below 1 percent, indicating low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. The attack vector is local with the attacker needing only user-level access to create a symbolic link in /tmp. Once the symlink is in place, the daemon will perform a chown or overwrite on the target during cache generation, which grants system-wide privileges."}}}}, "created": "2026-03-12T09:56:25.561944+00:00", "updated": "2026-03-23T09:55:14.089330+00:00", "vendors": ["himmelblau-idm", "himmelblau-idm$PRODUCT$himmelblau"]}