Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/authelia/authelia) · only source for this CVE.
CVSS VectorVendor: https://github.com/authelia/authelia
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Impact
CVSSv4 Baseline Score: Moderate 6.3
CVSSv4 Weighted Score: Low 2.9
The full CVSSv4 Vector for this vulnerability is:
> CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:L/IR:L/AR:L/MAV:N/MAC:H/MAT:N/MPR:N/MUI:N/MVC:L/MVI:N/MVA:N/MSC:N/MSI:N/MSA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green
CVSSv3.1 Baseline Score: Low 3.7
CVSSv3.1 Overall Score: Medium 4.0
The full CVSSv3.1 Vector equivalent for this vulnerability is:
> CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:X/CR:H/IR:L/AR:L/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:L/MI:N/MA:N
The weighted severity rating is a result of no indication this is currently being exploited being available at the time of the publish date, in addition to the fact it's unlikely that it is being exploited currently.
Due to lack of canonicalization of the basic auth username, the effectiveness of the brute force mechanism when using basic auth is partially degraded.
Most passwords of reasonable length are unlikely to have a meaningful effect due to the fact there is no clear feedback to an attacker that is attempting to exploit this, thus their brute force attempts are significantly more likely to miss a valid password than they are identify a valid one.
Details
When a user authenticates via Basic Auth (i.e via the Authorization header with the Basic scheme) on the authz verification endpoint, Authelia takes the username directly from the Authorization header and passes it as is to the regulation system for ban checking and attempt recording.
LDAP treats usernames case insensitively : john, John, and JOHN all bind as the same user. But the regulation SQL queries treat the lookup of these values in certain scenarios as case sensitive. This allows each variation of a usernames case to have its own ban bucket.
Notable conditions or unaffected configurations:
- The first factor login endpoint (
/api/firstfactor) is not affected - The LDAP authentication backend must be in use.
- If the underlying database is case insensitive (as it should be with the collation we use for MySQL) it is not affected
- Administrators using the recently added IP regulation mode are not affected
- Administrators using a third-party tool such as CrowdSec or fail2ban are not affected
- Administrators that have disabled basic auth are not affected
Patches
Upgrade to 4.39.20.
Commit: https://github.com/authelia/authelia/commit/b8985b57b70acdff8f204ed426ff619e763461ad
Workarounds
Explicitly disable the basic auth mechanism.
Caddy, HAProxy, and Traefik
server:
endpoints:
authz:
forward-auth:
implementation: 'ForwardAuth'
authn_strategies:
- name: 'CookieSession'nginx
server:
endpoints:
authz:
auth-request:
implementation: 'AuthRequest'
authn_strategies:
- name: 'CookieSession'Envoy
server:
endpoints:
authz:
ext-authz:
implementation: 'ExtAuthz'
authn_strategies:
- name: 'CookieSession'References
N/A
AnalysisAI
Brute force regulation bypass in Authelia's Basic Auth flow (versions 4.38.0-4.39.19) allows unauthenticated remote attackers to partially circumvent account lockout controls by submitting login attempts using case variants of a target username (e.g., 'john', 'John', 'JOHN'). Because Authelia passes the raw Authorization header username to the regulation system without canonicalization, and LDAP backends treat these as the same identity while the regulation SQL queries treat them as distinct, each casing variant occupies a separate ban bucket - multiplying the effective attempt quota before lockout triggers. No public exploit identified at time of analysis, and the CVSSv4 weighted score of 2.9 (Low) reflects the narrow exploitation conditions required and the lack of attacker feedback during exploitation.
Technical ContextAI
Authelia is an open-source authentication and authorization proxy written in Go (CPE: pkg:go/github.com_authelia_authelia_v4). The vulnerability is rooted in CWE-178 (Improper Handling of Case Sensitivity): LDAP directory services are inherently case-insensitive for bind operations, so 'john', 'John', and 'JOHN' resolve to the same directory account. However, Authelia's regulation subsystem - responsible for tracking failed login attempts and enforcing account bans - performs SQL lookups against its own database using the raw username string as supplied in the HTTP Authorization header. On case-sensitive database collations (e.g., PostgreSQL or MySQL without the UTF8MB4_unicode_ci collation Authelia recommends), each casing variant is stored and queried as a distinct identity, giving each its own independent ban counter. The affected code path is the authz verification endpoint's Basic Auth handler; the primary first-factor endpoint (/api/firstfactor) is not affected. The fix (commit b8985b57) refactors basic auth handling to canonicalize usernames and introduces a timing attack delay (NewTimingAttackDelay with a 2-second minimum) to further harden the authentication flow.
RemediationAI
The primary fix is to upgrade Authelia to version 4.39.20, which introduces username canonicalization in the Basic Auth handler and adds a mandatory timing attack delay. The patch commit is available at https://github.com/authelia/authelia/commit/b8985b57b70acdff8f204ed426ff619e763461ad. For deployments that cannot upgrade immediately, the recommended workaround is to explicitly disable Basic Auth on the authz endpoint by restricting authn_strategies to CookieSession only. For Caddy, HAProxy, and Traefik, configure the forward-auth endpoint with only the CookieSession strategy; for nginx, configure the auth-request endpoint similarly; for Envoy, configure the ext-authz endpoint with CookieSession. This workaround eliminates the vulnerable code path entirely with no known functional trade-off for deployments not relying on Basic Auth for proxy authentication. Alternatively, enabling IP-based regulation mode or deploying a third-party brute force tool such as CrowdSec or fail2ban also mitigates the impact without requiring a code change, though neither addresses the root canonicalization defect.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same weakness CWE-178 – Improper Handling of Case Sensitivity
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38082
GHSA-hjj4-hfjm-fmrj