Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector; AC:H for eight simultaneous preconditions; PR:L for authenticated access; scope change as bypass affects the downstream protected application; no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an access control rule may be skipped when it should match a request. The specific conditions that could lead to a security issue for vulnerability are: 1. The specific target resource of the attack must be using the forwarded authorization integration; 2. The requested domain must have two additional segments compared to a session domain i.e. a.b.example.com is requested, but the session domain is example.com; 3. There access control rules must specify two separate rules which both contain inexact domain matches such as *.b.example.com and *.example.com i.e. wildcards, username matches, group matches; 4. The rules must be in order of most specific domain to least specific domain; 5. The second rule must be more permissive than the first rule; 6. The attacker must specifically request a URL for the more specific domain, with the second part containing one or more capitalized letters i.e. https://a.B.example.com and no other segment with capitalized letters; 7. The integration used must not be the Envoy ExtAuthz integration; and 8. The proxy must not canonicalize the requested host name in the relevant header before sending it to the relevant authorization endpoint. The kind of configuration used to produce this issue and result in a bypass rule being matched has long been highly discouraged. Essentially hosts which should be bypassed entirely should not be secured by having the proxy check them with the authorization handlers. Upgrade to 4.39.20 to receive a patch.
AnalysisAI
Authorization bypass in Authelia 4.36.0-4.39.19 allows an attacker to circumvent access control rules under an extremely narrow set of eight simultaneous conditions involving mixed-case domain requests, wildcard rule ordering, and a non-canonicalizing proxy. The flaw occurs because Go's case-sensitive strings.HasSuffix was used for wildcard domain matching: a crafted URL such as https://a.B.example.com causes the suffix check against *.b.example.com to fail silently, causing the authorization engine to fall through to a more permissive rule (e.g., *.example.com → bypass). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all eight of the following conditions simultaneously: (1) the target resource uses the forwarded authorization integration (not Envoy ExtAuthz); (2) the requested domain has exactly two more segments than the configured session domain (e.g., `a.b.example.com` requested when session domain is `example.com`); (3) two separate ACL rules are present using inexact domain matching - specifically wildcards (`*`), username wildcards, or group wildcards; (4) those rules are ordered most-specific first (e.g., `*.b.example.com` precedes `*.example.com`); (5) the second, less-specific rule is more permissive than the first (e.g., the fallback is a `bypass` policy); (6) the attacker's requested URL contains the more specific domain segment with one or more capitalized letters and no other segment is capitalized (e.g., `https://a.B.example.com`); (7) the Envoy ExtAuthz integration is not in use; and (8) the upstream proxy does not canonicalize or lowercase the Host header before forwarding it to Authelia. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is very low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker targeting a service at `https://secure.admin.example.com` (protected by the ACL rule `*.admin.example.com → two_factor`) crafts a request to `https://secure.ADMIN.example.com` with the second domain segment capitalized. When the upstream nginx proxy (configured without host normalization) forwards the original Host header to Authelia, the case-sensitive suffix check for `.admin.example.com` fails against `ADMIN`, skipping that rule and matching the fallback `*.example.com → bypass` rule instead - granting unauthenticated or single-factor access to a resource that should require two-factor authentication. … |
| Remediation | Upgrade to Authelia 4.39.20, which is the vendor-released patch resolving this issue via commit b6d1d60baa02f216fdb19f5dfeaf2e805829508a (replacing case-sensitive `strings.HasSuffix` with the case-insensitive `StringHasSuffixFold` utility across all domain-matching branches). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Authelia is a a single sign-on multi-factor portal for web apps. Rated critical severity (CVSS 10.0), this vulnerability
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on
Same weakness CWE-178 – Improper Handling of Case Sensitivity
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38083
GHSA-j748-h363-wqj8