Skip to content

3.1.0

Choose a tag to compare

View all tags
@dmulder dmulder released this 11 Mar 00:08
· 258 commits to main since this release
3.1.0
9079a98

Himmelblau 3.1.0

Release date: 2026-03-10
Release type: Security release
Himmelblau 3.1.0 is a security-focused release that fixes two high-impact vulnerabilities.
All users are strongly encouraged to upgrade immediately.

Security fixes

1) CVE-2026-31957 / GHSA-q746-m2wv-qh4v (Critical, CVSS 10.0)

Issue: If [global] domain was not set, tenant scoping could be bypassed during first login in remote deployments, allowing arbitrary-tenant authentication/provider registration.
Risk: Potential cross-tenant authentication and, in some configurations, privilege escalation via group-based role mappings.
Fixed in: 3.1.0
Affected versions: 3.0.0 and later (before 3.1.0)

2) GHSA-44wm-q286-ghq3 (High, CVSS 8.8) (High, CVE-2026-31979)

Issue: himmelblaud-tasks could be exploited via /tmp symlink attacks when writing Kerberos ccache files.
Risk: Local privilege escalation to root through arbitrary file/directory ownership change or overwrite paths.
Fixed in: 3.1.0 (also backported to 2.3.8)
Affected versions: 1.0.0 and later (before fixed releases)

Action required

  1. Upgrade all Himmelblau installations to 3.1.0 (or newer) as soon as possible.
  2. Restart services after upgrade: 
    sudo systemctl restart himmelblaud himmelblaud-tasks
  3. Ensure tenant scoping is explicitly configured: 
    [global]
domain = <your-domain>
  4. For previously exposed systems, perform post-upgrade checks:
  • Review cached tenant/provider entries in /var/cache/himmelblaud/himmelblau.conf.
  • Investigate suspicious /tmp/krb5cc_* symlinks and unexpected ownership changes on sensitive paths.

Credits
Thanks to @khronosd for responsibly reporting these issues.

Full Changelog: 3.0.1...3.1.0

Contributors

khronosd
Assets 2
Loading