CVE-2026-48794
published 2026-06-19CVE-2026-48794: Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web…
PriorityP420low1.3CVSS 4.0
AVNACHATPPRLUINVCLVINVANSCLSINSANEPCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.28%
20.0th percentile
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an access control rule may be skipped when it should match a request. The specific conditions that could lead to a security issue for vulnerability are: 1. The specific target resource of the attack must be using the forwarded authorization integration; 2. The requested domain must have two additional segments compared to a session domain i.e. `a.b.example.com` is requested, but the session domain is `example.com`; 3. There access control rules must specify two separate rules which both contain inexact domain matches such as `*.b.example.com` and `*.example.com` i.e. wildcards, username matches, group matches; 4. The rules must be in order of most specific domain to least specific domain; 5. The second rule must be more permissive than the first rule; 6. The attacker must specifically request a URL for the more specific domain, with the second part containing one or more capitalized letters i.e. `https://a.B.example.com` and no other segment with capitalized letters; 7. The integration used must not be the Envoy ExtAuthz integration; and 8. The proxy must not canonicalize the requested host name in the relevant header before sending it to the relevant authorization endpoint. The kind of configuration used to produce this issue and result in a `bypass` rule being matched has long been highly discouraged. Essentially hosts which should be bypassed entirely should not be secured by having the proxy check them with the authorization handlers. Upgrade to 4.39.20 to receive a patch.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| authelia | authelia | — | — |
| github.com | authelia_authelia_v4 | >= 4.36.0 < 4.39.20 | 4.39.20 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Authelia has an Edge Case Access Control Rule Mismatch
ghsa·2026-06-26
CVE-2026-48794 [LOW] CWE-178 Authelia has an Edge Case Access Control Rule Mismatch
Authelia has an Edge Case Access Control Rule Mismatch
### Impact
**CVSSv4 Baseline Score:** Low 2.4
**CVSSv4 Weighted Score:** Low 1.3
The full CVSSv4 Vector for this vulnerability is:
> CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P/CR:H/IR:L/AR:L/MAV:N/MAC:H/MAT:P/MPR:L/MVC:L/MVI:N/MVA:N/MSC:L/MSI:N/MSA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Amber
**CVSSv3.1 Baseline Score:** Low 3.1
**CVSSv3.1 Overall Score:** Low 3.4
The full CVSSv3.1 Vector equivalent for this vulnerability is:
> CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C/CR:H/IR:L/AR:L/MAV:N/MAC:H/MPR:L/MUI:X/MS:U/MC:L/MI:N/MA:N
The weighted severity rating is a result of no indication this is currently being exploited being available at the time of the publish date, in addition to the fact it's unl
VulDB
Authelia up to 4.39.19 Relevant Authorization Endpoint case sensitivity (GHSA-j748-h363-wqj8 / EUVD-2026-38083)
vuldb·2026-06-19
CVE-2026-48794 [LOW] Authelia up to 4.39.19 Relevant Authorization Endpoint case sensitivity (GHSA-j748-h363-wqj8 / EUVD-2026-38083)
A vulnerability identified as problematic has been detected in Authelia up to 4.39.19. Affected by this vulnerability is an unknown functionality of the component Relevant Authorization Endpoint. This manipulation causes improper handling of case sensitivity.
This vulnerability appears as CVE-2026-48794. The attack may be initiated remotely. There is no available exploit.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-19
Published