# CVE-2026-31979

> CVE-2026-31979 is a high-severity local privilege escalation vulnerability in Himmelblau, an open-source Azure Entra ID authentication and Intune compliance suite for Linux. The vulnerability resides in the himmelblaud-tasks daemon which runs as root. The root cause traces to commit 87a51ee which removed PrivateTmp from the tasks daemon's systemd hardening, exposing it to the host's /tmp directory without symlink protections. Four compounding factors enable exploitation: PrivateTmp removal, directory creation following symlinks via DirBuilder without validation, file writes lacking O_NOFOLLOW 

- **CVSS:** 7.5 (HIGH)
- **EPSS:** 0.0%
- **CWE:** CWE-59, CWE-61

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-31979
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp