CVE-2026-47203
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Summary
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.38.0 through 4.39.19, when a user authenticates via Basic Auth (i.e via the Authorization header with the Basic scheme) on the authz verification endpoint, Authelia takes the username directly from the Authorization header and passes it as is to the regulation system for ban checking and attempt recording. LDAP treats usernames case insensitively : john, John, and JOHN all bind as the same user. But the regulation SQL queries treat the lookup of these values in certain scenarios as case sensitive. This allows each variation of a usernames case to have its own ban bucket. Upgrade to 4.39.20 to receive a patch. As a workaround, explicitly disable the basic auth mechanism.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| authelia | authelia | >= 4.38.0, < 4.39.20 | affected |
Weaknesses
- CWE-178: CWE-178: Improper Handling of Case Sensitivity
- CWE-307: CWE-307: Improper Restriction of Excessive Authentication Attempts
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/authelia/authelia/security/advisories/GHSA-hjj4-hfjm-fmrj
- https://github.com/authelia/authelia/commit/b8985b57b70acdff8f204ed426ff619e763461ad
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.