Description
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In version 4.39.15, an attacker may potentially be able to inject javascript into the Authelia login page if several conditions are met simultaneously. Unless both the `script-src` and `connect-src` directives have been modified it's almost impossible for this to have a meaningful impact. However if both of these are and they are done so without consideration to their potential impact; there is a are situations where this vulnerability could be exploited. This is caused to the lack of neutralization of the `langauge` cookie value when rendering the HTML template. This vulnerability is likely difficult to discover though fingerprinting due to the way Authelia is designed but it should not be considered impossible. The additional requirement to identify the secondary application is however likely to be significantly harder to identify along side this, but also likely easier to fingerprint. Users should upgrade to 4.39.16 or downgrade to 4.39.14 to mitigate the issue. The overwhelming majority of installations will not be affected and no workarounds are necessary. The default value for the Content Security Policy makes exploiting this weakness completely impossible. It's only possible via the deliberate removal of the Content Security Policy or deliberate inclusion of clearly noted unsafe policies.
Published: 2026-03-26
Score: 0.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site Scripting
Action: Apply Patch
AI Analysis

Impact

An attacker may inject javascript into the Authelia login page when the application is rendered with an unneutralized language cookie value. The vulnerability is mitigated by the software’s default Content Security Policy (CSP); exploitation requires an attacker to reconfigure or bypass the CSP, a step that is highly unlikely to be performed without direct knowledge of the deployment. Even if the CSP is compromised, the attacker would only gain script execution in the context of the login page, limiting the scope to the authentication interface rather than the entire system.

Affected Systems

The vulnerability affects Authelia version 4.39.15. Users running that exact version should either update to 4.39.16 or downgrade to 4.39.14 to eliminate the flaw. No other versions or products are documented as affected.

Risk and Exploitability

The CVSS base score of 0.5 and EPSS probability of less than 1% indicate a very low overall risk. The vulnerability is not listed in the CISA KEV catalog, reflecting that no widespread exploitation has been observed. Exploitation is conditional on both an attacker identifying the specific language cookie value injection point and deliberately modifying CSP directives; both conditions together are difficult to achieve in practice, which further reduces the likelihood of real-world attacks.

Generated by OpenCVE AI on April 2, 2026 at 22:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Authelia to version 4.39.16 or downgrade to 4.39.14.

Generated by OpenCVE AI on April 2, 2026 at 22:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gmfg-3v4q-9qr4 Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:authelia:authelia:4.39.15:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Authelia
Authelia authelia
Vendors & Products Authelia
Authelia authelia

Thu, 26 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In version 4.39.15, an attacker may potentially be able to inject javascript into the Authelia login page if several conditions are met simultaneously. Unless both the `script-src` and `connect-src` directives have been modified it's almost impossible for this to have a meaningful impact. However if both of these are and they are done so without consideration to their potential impact; there is a are situations where this vulnerability could be exploited. This is caused to the lack of neutralization of the `langauge` cookie value when rendering the HTML template. This vulnerability is likely difficult to discover though fingerprinting due to the way Authelia is designed but it should not be considered impossible. The additional requirement to identify the secondary application is however likely to be significantly harder to identify along side this, but also likely easier to fingerprint. Users should upgrade to 4.39.16 or downgrade to 4.39.14 to mitigate the issue. The overwhelming majority of installations will not be affected and no workarounds are necessary. The default value for the Content Security Policy makes exploiting this weakness completely impossible. It's only possible via the deliberate removal of the Content Security Policy or deliberate inclusion of clearly noted unsafe policies.
Title Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 0.5, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U'}

Subscriptions

Authelia Authelia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T14:55:38.565Z

Reserved: 2026-03-20T18:05:11.830Z

Link: CVE-2026-33525

cve-icon Vulnrichment

Updated: 2026-03-30T13:59:47.876Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T20:16:14.740

Modified: 2026-04-02T18:20:55.207

Link: CVE-2026-33525

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:54Z

Weaknesses