Description
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.38.0 through 4.39.19, when a user authenticates via Basic Auth (i.e via the `Authorization` header with the `Basic` scheme) on the authz verification endpoint, Authelia takes the username directly from the `Authorization` header and passes it as is to the regulation system for ban checking and attempt recording. LDAP treats usernames case insensitively : `john`, `John`, and `JOHN` all bind as the same user. But the regulation SQL queries treat the lookup of these values in certain scenarios as case sensitive. This allows each variation of a usernames case to have its own ban bucket. Upgrade to 4.39.20 to receive a patch. As a workaround, explicitly disable the basic auth mechanism.
Published: 2026-06-19
Score: 2.9 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability stems from Authelia's handling of Basic Auth usernames when the user is authenticated against an LDAP backend. The system consumes the raw username from the Authorization header and forwards it to the regulation subsystem without case‑normalisation. LDAP treats usernames as case‑insensitive, whereas the SQL queries that record bans and attempts treat them as case‑sensitive in certain contexts. Consequently, each case variation of a username creates or references a separate ban bucket, allowing an attacker to circumvent login throttling or account lockouts by simply altering the case of their credentials.

Affected Systems

Affected versions are Authelia 4.38.0 through 4.39.19. The issue exists where Basic Authentication is enabled and the verification endpoint is used in an environment that exchanges credentials with an LDAP server. Updates to version 4.39.20 include a patch that normalises usernames before they are processed by the regulation logic, fixing the mismatch.

Risk and Exploitability

The CVSS score of 2.9 indicates a low‑severity problem; no known exploitation of remote code execution or high privilege escalation is reported. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need network access to the verification endpoint and the ability to send authenticated requests; they could then repeatedly attempt logins with varied casing to avoid bans, but they would still need valid credentials. The practical impact is a limited bypass of policy enforcement rather than a broad compromise of the system.

Generated by OpenCVE AI on June 19, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Authelia to version 4.39.20 or newer, which canonicalises usernames before ban checking.
  • If an upgrade is not immediately possible, disable the Basic Authentication feature to prevent the flaw from being exercised.
  • Verify that LDAP binding and related SQL queries treat usernames case‑insensitively; consider implementing a global lower‑case transformation for all login attempts.

Generated by OpenCVE AI on June 19, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hjj4-hfjm-fmrj Authelia Missing Username Canonicalization in Basic Auth (LDAP)
History

Fri, 19 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Authelia
Authelia authelia
Vendors & Products Authelia
Authelia authelia

Fri, 19 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.38.0 through 4.39.19, when a user authenticates via Basic Auth (i.e via the `Authorization` header with the `Basic` scheme) on the authz verification endpoint, Authelia takes the username directly from the `Authorization` header and passes it as is to the regulation system for ban checking and attempt recording. LDAP treats usernames case insensitively : `john`, `John`, and `JOHN` all bind as the same user. But the regulation SQL queries treat the lookup of these values in certain scenarios as case sensitive. This allows each variation of a usernames case to have its own ban bucket. Upgrade to 4.39.20 to receive a patch. As a workaround, explicitly disable the basic auth mechanism.
Title Authelia Missing Username Canonicalization in Basic Auth (LDAP)
Weaknesses CWE-178
CWE-307
References
Metrics cvssV4_0

{'score': 2.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Authelia Authelia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T20:19:47.903Z

Reserved: 2026-05-18T22:07:37.436Z

Link: CVE-2026-47203

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T22:00:06Z

Weaknesses
  • CWE-178

    Improper Handling of Case Sensitivity

  • CWE-307

    Improper Restriction of Excessive Authentication Attempts