CVE-2026-48794 authelia CVE debrief

Who should care

Defenders managing Authelia instances, particularly those with complex access control configurations, should be aware of this vulnerability. The attack conditions are highly specific, but successful exploitation could lead to unauthorized access. Prioritization should be based on the sensitivity of protected resources and the likelihood of such specific attacks occurring.

Technical summary

The vulnerability in Authelia (CVE-2026-48794) stems from inadequate domain canonicalization, leading to potential access control bypass. The conditions for exploitation are stringent: the target resource must use forwarded authorization integration; the requested domain must have two additional segments compared to the session domain; specific inexact domain matches must be configured; rules must be ordered from most to least specific; the second rule must be more permissive; the attacker must request a URL with capitalized letters in the second domain segment; the integration must not be Envoy ExtAuthz; and the proxy must not canonicalize the host name. The CVSS score is 1.3, indicating low severity.

Defensive priority

Low severity, but prioritize patching due to potential for unauthorized access in specific configurations.

Recommended defensive actions

• Inventory Authelia instances and verify affected versions (4.36.0-4.39.19).
• Review access control configurations for complexity and potential exposure.
• Apply patch to version 4.39.20 or later.
• Monitor for unusual authentication attempts.
• Verify proxy configurations for host name canonicalization.

Evidence notes

Primary evidence comes from the CVE record and Authelia's security advisory. The vulnerability affects Authelia versions 4.36.0 through 4.39.19. Defenders should verify their instance versions and configurations against the advisory. Evidence limits suggest a focused attack surface.

Official resources