Skip to main content

Authelia CVE-2026-47203

| EUVDEUVD-2026-38082 LOW
Improper Handling of Case Sensitivity (CWE-178)
2026-05-29 https://github.com/authelia/authelia GHSA-hjj4-hfjm-fmrj
2.9
CVSS 4.0 · Vendor: https://github.com/authelia/authelia

Severity by source

Vendor (https://github.com/authelia/authelia) PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/authelia/authelia) · only source for this CVE.

CVSS VectorVendor: https://github.com/authelia/authelia

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 19, 2026 - 21:22 NVD
2.9 (LOW)
Source Code Evidence Fetched
May 29, 2026 - 21:51 vuln.today
Analysis Generated
May 29, 2026 - 21:51 vuln.today

DescriptionCVE.org

Impact

CVSSv4 Baseline Score: Moderate 6.3

CVSSv4 Weighted Score: Low 2.9

The full CVSSv4 Vector for this vulnerability is:

> CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:L/IR:L/AR:L/MAV:N/MAC:H/MAT:N/MPR:N/MUI:N/MVC:L/MVI:N/MVA:N/MSC:N/MSI:N/MSA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green

CVSSv3.1 Baseline Score: Low 3.7

CVSSv3.1 Overall Score: Medium 4.0

The full CVSSv3.1 Vector equivalent for this vulnerability is:

> CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:X/CR:H/IR:L/AR:L/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:L/MI:N/MA:N

The weighted severity rating is a result of no indication this is currently being exploited being available at the time of the publish date, in addition to the fact it's unlikely that it is being exploited currently.

Due to lack of canonicalization of the basic auth username, the effectiveness of the brute force mechanism when using basic auth is partially degraded.

Most passwords of reasonable length are unlikely to have a meaningful effect due to the fact there is no clear feedback to an attacker that is attempting to exploit this, thus their brute force attempts are significantly more likely to miss a valid password than they are identify a valid one.

Details

When a user authenticates via Basic Auth (i.e via the Authorization header with the Basic scheme) on the authz verification endpoint, Authelia takes the username directly from the Authorization header and passes it as is to the regulation system for ban checking and attempt recording.

LDAP treats usernames case insensitively : john, John, and JOHN all bind as the same user. But the regulation SQL queries treat the lookup of these values in certain scenarios as case sensitive. This allows each variation of a usernames case to have its own ban bucket.

Notable conditions or unaffected configurations:

  1. The first factor login endpoint (/api/firstfactor) is not affected
  2. The LDAP authentication backend must be in use.
  3. If the underlying database is case insensitive (as it should be with the collation we use for MySQL) it is not affected
  4. Administrators using the recently added IP regulation mode are not affected
  5. Administrators using a third-party tool such as CrowdSec or fail2ban are not affected
  6. Administrators that have disabled basic auth are not affected

Patches

Upgrade to 4.39.20.

Commit: https://github.com/authelia/authelia/commit/b8985b57b70acdff8f204ed426ff619e763461ad

Workarounds

Explicitly disable the basic auth mechanism.

Caddy, HAProxy, and Traefik
yaml
server:
  endpoints:
    authz:
      forward-auth:
        implementation: 'ForwardAuth'
        authn_strategies:
          - name: 'CookieSession'
nginx
yaml
server:
  endpoints:
    authz:
      auth-request:
        implementation: 'AuthRequest'
        authn_strategies:
          - name: 'CookieSession'
Envoy
yaml
server:
  endpoints:
    authz:
      ext-authz:
        implementation: 'ExtAuthz'
        authn_strategies:
          - name: 'CookieSession'

References

N/A

AnalysisAI

Brute force regulation bypass in Authelia's Basic Auth flow (versions 4.38.0-4.39.19) allows unauthenticated remote attackers to partially circumvent account lockout controls by submitting login attempts using case variants of a target username (e.g., 'john', 'John', 'JOHN'). Because Authelia passes the raw Authorization header username to the regulation system without canonicalization, and LDAP backends treat these as the same identity while the regulation SQL queries treat them as distinct, each casing variant occupies a separate ban bucket - multiplying the effective attempt quota before lockout triggers. No public exploit identified at time of analysis, and the CVSSv4 weighted score of 2.9 (Low) reflects the narrow exploitation conditions required and the lack of attacker feedback during exploitation.

Technical ContextAI

Authelia is an open-source authentication and authorization proxy written in Go (CPE: pkg:go/github.com_authelia_authelia_v4). The vulnerability is rooted in CWE-178 (Improper Handling of Case Sensitivity): LDAP directory services are inherently case-insensitive for bind operations, so 'john', 'John', and 'JOHN' resolve to the same directory account. However, Authelia's regulation subsystem - responsible for tracking failed login attempts and enforcing account bans - performs SQL lookups against its own database using the raw username string as supplied in the HTTP Authorization header. On case-sensitive database collations (e.g., PostgreSQL or MySQL without the UTF8MB4_unicode_ci collation Authelia recommends), each casing variant is stored and queried as a distinct identity, giving each its own independent ban counter. The affected code path is the authz verification endpoint's Basic Auth handler; the primary first-factor endpoint (/api/firstfactor) is not affected. The fix (commit b8985b57) refactors basic auth handling to canonicalize usernames and introduces a timing attack delay (NewTimingAttackDelay with a 2-second minimum) to further harden the authentication flow.

RemediationAI

The primary fix is to upgrade Authelia to version 4.39.20, which introduces username canonicalization in the Basic Auth handler and adds a mandatory timing attack delay. The patch commit is available at https://github.com/authelia/authelia/commit/b8985b57b70acdff8f204ed426ff619e763461ad. For deployments that cannot upgrade immediately, the recommended workaround is to explicitly disable Basic Auth on the authz endpoint by restricting authn_strategies to CookieSession only. For Caddy, HAProxy, and Traefik, configure the forward-auth endpoint with only the CookieSession strategy; for nginx, configure the auth-request endpoint similarly; for Envoy, configure the ext-authz endpoint with CookieSession. This workaround eliminates the vulnerable code path entirely with no known functional trade-off for deployments not relying on Basic Auth for proxy authentication. Alternatively, enabling IP-based regulation mode or deploying a third-party brute force tool such as CrowdSec or fail2ban also mitigates the impact without requiring a code change, though neither addresses the root canonicalization defect.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Share

CVE-2026-47203 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy