Authelia
Monthly
Authorization bypass in Authelia 4.36.0-4.39.19 allows an attacker to circumvent access control rules under an extremely narrow set of eight simultaneous conditions involving mixed-case domain requests, wildcard rule ordering, and a non-canonicalizing proxy. The flaw occurs because Go's case-sensitive `strings.HasSuffix` was used for wildcard domain matching: a crafted URL such as `https://a.B.example.com` causes the suffix check against `*.b.example.com` to fail silently, causing the authorization engine to fall through to a more permissive rule (e.g., `*.example.com → bypass`). No confirmed active exploitation has been identified and no CISA KEV listing exists; the CVSS 4.0 score of 1.3 with E:P reflects that proof-of-concept exploitation is plausible in theory but real-world exposure is extremely limited by the configuration prerequisites.
Authelia is a a single sign-on multi-factor portal for web apps. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.
Authorization bypass in Authelia 4.36.0-4.39.19 allows an attacker to circumvent access control rules under an extremely narrow set of eight simultaneous conditions involving mixed-case domain requests, wildcard rule ordering, and a non-canonicalizing proxy. The flaw occurs because Go's case-sensitive `strings.HasSuffix` was used for wildcard domain matching: a crafted URL such as `https://a.B.example.com` causes the suffix check against `*.b.example.com` to fail silently, causing the authorization engine to fall through to a more permissive rule (e.g., `*.example.com → bypass`). No confirmed active exploitation has been identified and no CISA KEV listing exists; the CVSS 4.0 score of 1.3 with E:P reflects that proof-of-concept exploitation is plausible in theory but real-world exposure is extremely limited by the configuration prerequisites.
Authelia is a a single sign-on multi-factor portal for web apps. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.