CVE-2026-42177: CWE-284: Improper Access Control in siemens linux-entra-sso
linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSO_URL + "/*", i.e. "https://login.microsoftonline.com/*". Chrome's urlFilter without a | or || anchor is substring-matched against the full request URL. The same applied rule action is modifyHeaders that attaches the Entra ID Primary Refresh Token cookie. The Firefox adapter in platform/firefox/js/platform-firefox.js:53 performs a belt-and-braces startsWith(Platform.SSO_URL) check before injecting the header; the Chrome adapter does not. When the extension holds broad host permissions through the optional_host_permissions: ["https://*/*"] declared in platform/chrome/manifest.json:34, a main-frame navigation to a URL whose path embeds https://login.microsoftonline.com/ causes Chrome to attach the PRT cookie to the request to the attacker-controlled host. This vulnerability is fixed in 1.8.1.
AI Analysis
Technical Summary
The Siemens linux-entra-sso plugin for Linux enables single sign-on (SSO) on Microsoft Entra ID. Prior to version 1.8.1, the Chrome adapter registers a declarativeNetRequest rule with a URL filter matching any URL containing "https://login.microsoftonline.com/" as a substring. Because Chrome's urlFilter matches substrings without anchors, and the extension declares broad host permissions ("https://*/*"), navigation to attacker-controlled URLs embedding the login URL substring causes the plugin to attach the Entra ID Primary Refresh Token cookie to requests to those attacker-controlled hosts. The Firefox adapter performs a stricter check preventing this. This improper access control vulnerability allows unauthorized exposure of sensitive authentication tokens. The vulnerability is fixed in linux-entra-sso version 1.8.1.
Potential Impact
An attacker controlling a URL that embeds the Microsoft Entra ID login URL substring can cause the vulnerable linux-entra-sso Chrome extension to attach the Primary Refresh Token cookie to requests sent to the attacker-controlled host. This could lead to unauthorized access to sensitive authentication tokens, potentially compromising user accounts. The CVSS score is 5.3 (medium severity), reflecting network attack vector, high complexity, no privileges required, user interaction required, unchanged scope, high confidentiality impact, and no integrity or availability impact.
Mitigation Recommendations
This vulnerability is fixed in linux-entra-sso version 1.8.1. Users and administrators should upgrade to version 1.8.1 or later to remediate this issue. No other mitigation or workaround is indicated in the vendor advisory or available data.
CVE-2026-42177: CWE-284: Improper Access Control in siemens linux-entra-sso
Description
linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSO_URL + "/*", i.e. "https://login.microsoftonline.com/*". Chrome's urlFilter without a | or || anchor is substring-matched against the full request URL. The same applied rule action is modifyHeaders that attaches the Entra ID Primary Refresh Token cookie. The Firefox adapter in platform/firefox/js/platform-firefox.js:53 performs a belt-and-braces startsWith(Platform.SSO_URL) check before injecting the header; the Chrome adapter does not. When the extension holds broad host permissions through the optional_host_permissions: ["https://*/*"] declared in platform/chrome/manifest.json:34, a main-frame navigation to a URL whose path embeds https://login.microsoftonline.com/ causes Chrome to attach the PRT cookie to the request to the attacker-controlled host. This vulnerability is fixed in 1.8.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Siemens linux-entra-sso plugin for Linux enables single sign-on (SSO) on Microsoft Entra ID. Prior to version 1.8.1, the Chrome adapter registers a declarativeNetRequest rule with a URL filter matching any URL containing "https://login.microsoftonline.com/" as a substring. Because Chrome's urlFilter matches substrings without anchors, and the extension declares broad host permissions ("https://*/*"), navigation to attacker-controlled URLs embedding the login URL substring causes the plugin to attach the Entra ID Primary Refresh Token cookie to requests to those attacker-controlled hosts. The Firefox adapter performs a stricter check preventing this. This improper access control vulnerability allows unauthorized exposure of sensitive authentication tokens. The vulnerability is fixed in linux-entra-sso version 1.8.1.
Potential Impact
An attacker controlling a URL that embeds the Microsoft Entra ID login URL substring can cause the vulnerable linux-entra-sso Chrome extension to attach the Primary Refresh Token cookie to requests sent to the attacker-controlled host. This could lead to unauthorized access to sensitive authentication tokens, potentially compromising user accounts. The CVSS score is 5.3 (medium severity), reflecting network attack vector, high complexity, no privileges required, user interaction required, unchanged scope, high confidentiality impact, and no integrity or availability impact.
Mitigation Recommendations
This vulnerability is fixed in linux-entra-sso version 1.8.1. Users and administrators should upgrade to version 1.8.1 or later to remediate this issue. No other mitigation or workaround is indicated in the vendor advisory or available data.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-25T01:53:21.582Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a036562cbff5d861008cc5d
Added to database: 5/12/2026, 5:37:38 PM
Last enriched: 5/12/2026, 6:08:28 PM
Last updated: 5/13/2026, 4:52:17 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.