Description
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an access control rule may be skipped when it should match a request. The specific conditions that could lead to a security issue for vulnerability are: 1. The specific target resource of the attack must be using the forwarded authorization integration; 2. The requested domain must have two additional segments compared to a session domain i.e. `a.b.example.com` is requested, but the session domain is `example.com`; 3. There access control rules must specify two separate rules which both contain inexact domain matches such as `*.b.example.com` and `*.example.com` i.e. wildcards, username matches, group matches; 4. The rules must be in order of most specific domain to least specific domain; 5. The second rule must be more permissive than the first rule; 6. The attacker must specifically request a URL for the more specific domain, with the second part containing one or more capitalized letters i.e. `https://a.B.example.com` and no other segment with capitalized letters; 7. The integration used must not be the Envoy ExtAuthz integration; and 8. The proxy must not canonicalize the requested host name in the relevant header before sending it to the relevant authorization endpoint. The kind of configuration used to produce this issue and result in a `bypass` rule being matched has long been highly discouraged. Essentially hosts which should be bypassed entirely should not be secured by having the proxy check them with the authorization handlers. Upgrade to 4.39.20 to receive a patch.
Published: 2026-06-19
Score: 1.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Authelia Versions 4.36.0 through 4.39.19 contain a subtle domain canonicalization flaw in the forwarded authorization integration. When a request arrives with a domain that contains two more sub‑segments than the session domain, and the configuration includes two overlapping wildcard domain rules, the implementation can mistakenly evaluate the less specific, more permissive rule before the intended stricter rule. The result is that authentication and authorization checks may be bypassed, allowing an attacker to gain access to protected resources that should otherwise be restricted.

Affected Systems

This weakness affects the open‑source Authelia authentication and authorization server, specifically deployments of Authelia 4.36.0 up to 4.39.19. The issue is triggered only when the forwarded authorization integration is used, the proxy does not canonicalize the host header, and the integration is not Envoy ExtAuthz. Systems configured with overlapping wildcard domain matches such as *.b.example.com and *.example.com, arranged from most to least specific, are vulnerable. The configuration pattern is strongly discouraged and is not supported by the default settings.

Risk and Exploitability

The CVSS v3.1 score of 1.3 indicates a low overall impact, and the EPSS score is not available, making the likelihood of exploitation uncertain. The exploit requires a highly specific configuration and a crafted request header containing a capital letter in the sub‑domain, making remote exploitation complex and unlikely in practice. The vulnerability is not listed in CISA’s KEV catalog. If the conditions are satisfied, an attacker could elevate privileges by bypassing access controls, but this is not straightforward and the opportunity is narrow.

Generated by OpenCVE AI on June 19, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Authelia to version 4.39.20 or later, which includes the domain canonicalization patch.
  • Remove or adjust forwarded authorization integration configurations that rely on overlapping wildcard domain rules; ensure ACLs are ordered from most to least specific without overlapping matches.
  • Configure the reverse proxy to canonicalize the Host header before forwarding requests to Authelia, or disable the forwarded authorization integration entirely and use supported mechanisms.

Generated by OpenCVE AI on June 19, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Authelia
Authelia authelia
Vendors & Products Authelia
Authelia authelia

Fri, 19 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an access control rule may be skipped when it should match a request. The specific conditions that could lead to a security issue for vulnerability are: 1. The specific target resource of the attack must be using the forwarded authorization integration; 2. The requested domain must have two additional segments compared to a session domain i.e. `a.b.example.com` is requested, but the session domain is `example.com`; 3. There access control rules must specify two separate rules which both contain inexact domain matches such as `*.b.example.com` and `*.example.com` i.e. wildcards, username matches, group matches; 4. The rules must be in order of most specific domain to least specific domain; 5. The second rule must be more permissive than the first rule; 6. The attacker must specifically request a URL for the more specific domain, with the second part containing one or more capitalized letters i.e. `https://a.B.example.com` and no other segment with capitalized letters; 7. The integration used must not be the Envoy ExtAuthz integration; and 8. The proxy must not canonicalize the requested host name in the relevant header before sending it to the relevant authorization endpoint. The kind of configuration used to produce this issue and result in a `bypass` rule being matched has long been highly discouraged. Essentially hosts which should be bypassed entirely should not be secured by having the proxy check them with the authorization handlers. Upgrade to 4.39.20 to receive a patch.
Title Authelia has an Edge Case Access Control Rule Mismatch
Weaknesses CWE-178
CWE-863
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P'}

Subscriptions

Authelia Authelia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T20:23:03.917Z

Reserved: 2026-05-22T20:18:20.366Z

Link: CVE-2026-48794

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T22:00:06Z

Weaknesses
  • CWE-178

    Improper Handling of Case Sensitivity

  • CWE-863

    Incorrect Authorization