Skip to main content

Authelia CVE-2026-48794

| EUVDEUVD-2026-38083 LOW
Improper Handling of Case Sensitivity (CWE-178)
2026-06-19 GitHub_M GHSA-j748-h363-wqj8
1.3
CVSS 4.0 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
1.3 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.5 LOW

Network vector; AC:H for eight simultaneous preconditions; PR:L for authenticated access; scope change as bypass affects the downstream protected application; no integrity or availability impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 23:17 EUVD
Source Code Evidence Fetched
Jun 19, 2026 - 20:49 vuln.today
Analysis Generated
Jun 19, 2026 - 20:49 vuln.today

DescriptionCVE.org

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an access control rule may be skipped when it should match a request. The specific conditions that could lead to a security issue for vulnerability are: 1. The specific target resource of the attack must be using the forwarded authorization integration; 2. The requested domain must have two additional segments compared to a session domain i.e. a.b.example.com is requested, but the session domain is example.com; 3. There access control rules must specify two separate rules which both contain inexact domain matches such as *.b.example.com and *.example.com i.e. wildcards, username matches, group matches; 4. The rules must be in order of most specific domain to least specific domain; 5. The second rule must be more permissive than the first rule; 6. The attacker must specifically request a URL for the more specific domain, with the second part containing one or more capitalized letters i.e. https://a.B.example.com and no other segment with capitalized letters; 7. The integration used must not be the Envoy ExtAuthz integration; and 8. The proxy must not canonicalize the requested host name in the relevant header before sending it to the relevant authorization endpoint. The kind of configuration used to produce this issue and result in a bypass rule being matched has long been highly discouraged. Essentially hosts which should be bypassed entirely should not be secured by having the proxy check them with the authorization handlers. Upgrade to 4.39.20 to receive a patch.

AnalysisAI

Authorization bypass in Authelia 4.36.0-4.39.19 allows an attacker to circumvent access control rules under an extremely narrow set of eight simultaneous conditions involving mixed-case domain requests, wildcard rule ordering, and a non-canonicalizing proxy. The flaw occurs because Go's case-sensitive strings.HasSuffix was used for wildcard domain matching: a crafted URL such as https://a.B.example.com causes the suffix check against *.b.example.com to fail silently, causing the authorization engine to fall through to a more permissive rule (e.g., *.example.com → bypass). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify target Authelia deployment with ordered wildcard ACL rules and permissive fallback
Delivery
Verify proxy does not canonicalize Host header (e.g., test with mixed-case request)
Exploit
Craft URL with uppercase second domain segment matching more-specific wildcard rule (e.g., `https://a.B.example.com`)
Install
Submit authenticated request through non-normalizing proxy
C2
Case-sensitive suffix match fails on restrictive `*.b.example.com` rule
Execute
Permissive fallback rule `*.example.com
Impact
bypass` matched
Step 8
Unauthorized access to restricted resource granted

Vulnerability AssessmentAI

Exploitation Exploitation requires all eight of the following conditions simultaneously: (1) the target resource uses the forwarded authorization integration (not Envoy ExtAuthz); (2) the requested domain has exactly two more segments than the configured session domain (e.g., `a.b.example.com` requested when session domain is `example.com`); (3) two separate ACL rules are present using inexact domain matching - specifically wildcards (`*`), username wildcards, or group wildcards; (4) those rules are ordered most-specific first (e.g., `*.b.example.com` precedes `*.example.com`); (5) the second, less-specific rule is more permissive than the first (e.g., the fallback is a `bypass` policy); (6) the attacker's requested URL contains the more specific domain segment with one or more capitalized letters and no other segment is capitalized (e.g., `https://a.B.example.com`); (7) the Envoy ExtAuthz integration is not in use; and (8) the upstream proxy does not canonicalize or lowercase the Host header before forwarding it to Authelia. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is very low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker targeting a service at `https://secure.admin.example.com` (protected by the ACL rule `*.admin.example.com → two_factor`) crafts a request to `https://secure.ADMIN.example.com` with the second domain segment capitalized. When the upstream nginx proxy (configured without host normalization) forwards the original Host header to Authelia, the case-sensitive suffix check for `.admin.example.com` fails against `ADMIN`, skipping that rule and matching the fallback `*.example.com → bypass` rule instead - granting unauthenticated or single-factor access to a resource that should require two-factor authentication. …
Remediation Upgrade to Authelia 4.39.20, which is the vendor-released patch resolving this issue via commit b6d1d60baa02f216fdb19f5dfeaf2e805829508a (replacing case-sensitive `strings.HasSuffix` with the case-insensitive `StringHasSuffixFold` utility across all domain-matching branches). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48794 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy