CVE-2026-33525
published 2026-03-26CVE-2026-33525: Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web…
PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.23%
13.1th percentile
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In version 4.39.15, an attacker may potentially be able to inject javascript into the Authelia login page if several conditions are met simultaneously. Unless both the `script-src` and `connect-src` directives have been modified it's almost impossible for this to have a meaningful impact. However if both of these are and they are done so without consideration to their potential impact; there is a are situations where this vulnerability could be exploited. This is caused to the lack of neutralization of the `langauge` cookie value when rendering the HTML template. This vulnerability is likely difficult to discover though fingerprinting due to the way Authelia is designed but it should not be considered impossible. The additional requirement to identify the secondary application is however likely to be significantly harder to identify along side this, but also likely easier to fingerprint. Users should upgrade to 4.39.16 or downgrade to 4.39.14 to mitigate the issue. The overwhelming majority of installations will not be affected and no workarounds are necessary. The default value for the Content Security Policy makes exploiting this weakness completely impossible. It's only possible via the deliberate removal of the Content Security Policy or deliberate inclusion of clearly noted unsafe policies.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| authelia | authelia | — | — |
| authelia | authelia | — | — |
| github.com | authelia_authelia_v4 | >= 4.39.15 < 4.39.16 | 4.39.16 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.00.5LOWCVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting in github.com/authelia/authelia
osv·2026-03-26
CVE-2026-33525 Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting in github.com/authelia/authelia
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting in github.com/authelia/authelia
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting in github.com/authelia/authelia
GHSA
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting
ghsa·2026-03-24
CVE-2026-33525 [LOW] CWE-79 Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting
### Impact
**Official Weighted Severity Rating:** Low
This exploit is very unlikely to be the case for most users as it requires configuration of the Content Security Policy template value. Below represents a safe value, **_any other value_** other than unconfigured should be **_very carefully evaluated_** regardless of the fix.
```yaml
server:
headers:
csp_template: ''
```
```env
AUTHELIA_SERVER_HEADERS_CSP_TEMPLATE=
```
Provided the following conditions are met:
1. The Content Security Policy:
1. Has been disabled or modified from the entirely safe default value; and
2. Has been completely disabled by the Administrator by omitting the header explicitly at the proxy (worst
OSV
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting
osv·2026-03-24
CVE-2026-33525 [LOW] Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting
### Impact
**Official Weighted Severity Rating:** Low
This exploit is very unlikely to be the case for most users as it requires configuration of the Content Security Policy template value. Below represents a safe value, **_any other value_** other than unconfigured should be **_very carefully evaluated_** regardless of the fix.
```yaml
server:
headers:
csp_template: ''
```
```env
AUTHELIA_SERVER_HEADERS_CSP_TEMPLATE=
```
Provided the following conditions are met:
1. The Content Security Policy:
1. Has been disabled or modified from the entirely safe default value; and
2. Has been completely disabled by the Administrator by omitting the header explicitly at the proxy (worst
No detection rules found.
No public exploits indexed.
2026-03-26
Published