Skip to main content

Authelia

3 CVEs product

Monthly

CVE-2026-48794 Go LOW PATCH GHSA Monitor

Authorization bypass in Authelia 4.36.0-4.39.19 allows an attacker to circumvent access control rules under an extremely narrow set of eight simultaneous conditions involving mixed-case domain requests, wildcard rule ordering, and a non-canonicalizing proxy. The flaw occurs because Go's case-sensitive `strings.HasSuffix` was used for wildcard domain matching: a crafted URL such as `https://a.B.example.com` causes the suffix check against `*.b.example.com` to fail silently, causing the authorization engine to fall through to a more permissive rule (e.g., `*.example.com → bypass`). No confirmed active exploitation has been identified and no CISA KEV listing exists; the CVSS 4.0 score of 1.3 with E:P reflects that proof-of-concept exploitation is plausible in theory but real-world exposure is extremely limited by the configuration prerequisites.

Authentication Bypass Authelia
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.3%
CVE-2021-32637 Go CRITICAL POC PATCH Act Now

Authelia is a a single sign-on multi-factor portal for web apps. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Authentication Bypass Authelia
NVD GitHub
CVSS 3.1
10.0
EPSS
1.9%
CVE-2021-29456 Go MEDIUM PATCH This Month

Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Authelia
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
EPSS 0% CVSS 1.3
LOW PATCH Monitor

Authorization bypass in Authelia 4.36.0-4.39.19 allows an attacker to circumvent access control rules under an extremely narrow set of eight simultaneous conditions involving mixed-case domain requests, wildcard rule ordering, and a non-canonicalizing proxy. The flaw occurs because Go's case-sensitive `strings.HasSuffix` was used for wildcard domain matching: a crafted URL such as `https://a.B.example.com` causes the suffix check against `*.b.example.com` to fail silently, causing the authorization engine to fall through to a more permissive rule (e.g., `*.example.com → bypass`). No confirmed active exploitation has been identified and no CISA KEV listing exists; the CVSS 4.0 score of 1.3 with E:P reflects that proof-of-concept exploitation is plausible in theory but real-world exposure is extremely limited by the configuration prerequisites.

Authentication Bypass Authelia
NVD GitHub VulDB
EPSS 2% CVSS 10.0
CRITICAL POC PATCH Act Now

Authelia is a a single sign-on multi-factor portal for web apps. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Authentication Bypass Authelia
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Authelia
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy