CVE-2026-47203
published 2026-06-19CVE-2026-47203: Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web…
PriorityP420low2.9CVSS 4.0
AVNACHATPPRNUINVCLVINVANSCNSINSANEPCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.31%
22.5th percentile
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.38.0 through 4.39.19, when a user authenticates via Basic Auth (i.e via the `Authorization` header with the `Basic` scheme) on the authz verification endpoint, Authelia takes the username directly from the `Authorization` header and passes it as is to the regulation system for ban checking and attempt recording. LDAP treats usernames case insensitively : `john`, `John`, and `JOHN` all bind as the same user. But the regulation SQL queries treat the lookup of these values in certain scenarios as case sensitive. This allows each variation of a usernames case to have its own ban bucket. Upgrade to 4.39.20 to receive a patch. As a workaround, explicitly disable the basic auth mechanism.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| authelia | authelia | — | — |
| github.com | authelia_authelia_v4 | >= 4.38.0 < 4.39.20 | 4.39.20 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
authelia up to 4.39.19 case sensitivity (GHSA-hjj4-hfjm-fmrj / EUVD-2026-38082)
vuldb·2026-06-19
CVE-2026-47203 [LOW] authelia up to 4.39.19 case sensitivity (GHSA-hjj4-hfjm-fmrj / EUVD-2026-38082)
A vulnerability categorized as problematic has been discovered in authelia up to 4.39.19. Affected is an unknown function. The manipulation results in improper handling of case sensitivity.
This vulnerability is reported as CVE-2026-47203. The attack can be launched remotely. No exploit exists.
It is advisable to upgrade the affected component.
GHSA
Authelia Missing Username Canonicalization in Basic Auth (LDAP)
ghsa·2026-05-29
CVE-2026-47203 [LOW] CWE-178 Authelia Missing Username Canonicalization in Basic Auth (LDAP)
Authelia Missing Username Canonicalization in Basic Auth (LDAP)
### Impact
**CVSSv4 Baseline Score:** Moderate 6.3
**CVSSv4 Weighted Score:** Low 2.9
The full CVSSv4 Vector for this vulnerability is:
> CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:L/IR:L/AR:L/MAV:N/MAC:H/MAT:N/MPR:N/MUI:N/MVC:L/MVI:N/MVA:N/MSC:N/MSI:N/MSA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green
**CVSSv3.1 Baseline Score:** Low 3.7
**CVSSv3.1 Overall Score:** Medium 4.0
The full CVSSv3.1 Vector equivalent for this vulnerability is:
> CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:X/CR:H/IR:L/AR:L/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:L/MI:N/MA:N
The weighted severity rating is a result of no indication this is currently being exploited being available at the time of the publish date, in additi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-19
Published