3.1.5

Security Fix (Critical)

This release addresses GHSA-pmxh-j4r6-88mv, a high-severity authentication bypass vulnerability affecting all versions from 2.0.0 through 3.1.4.

Vulnerability Summary

The token_validate function failed to verify that the authenticated user's username (UPN CN part) matched the requested account during Device Authorization Grant (DAG) flow authentication. The validation only compared domain information, allowing same-domain attackers to gain unauthorized access to other users' local Unix sessions.

Impact:

• Local session impersonation — An authenticated user could unlock another coworker's local workstation session and access their files/home directory
• Cloud credentials remain isolated — Attackers retain only their own Entra ID credentials; no cloud resource compromise occurs
• Scope: DAG authentication flow only; Hello PIN and MFA flow authentication is completely unaffected

Attack Requirements:

• Same Entra ID domain as target user
• Access to target workstation
• DAG flow enabled in tenant (QR/device code authentication)

Risk by Configuration:

• Default setup (Hello PIN + MFA enabled): Very low risk
• Either Hello or MFA disabled: High risk
• Both disabled: Significantly elevated vulnerability

Fix Details

Commit: 4933756 by @ccadruvi
Change: Authentication now explicitly validates that the local part of the token's UPN matches the requested account_id, rejecting cross-user authentication attempts even when domains match.

Full Changelog: 3.1.4...3.1.5