CVE-2026-48794

Name of the Vulnerable Software and Affected Versions Authelia versions 4.36.0 through 4.39.19

Description Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO). A lack of domain canonicalization in specific edge cases can allow an access control rule to be skipped. This occurs when the target resource uses forwarded authorization integration, the requested domain has two additional segments compared to the session domain, and there are two separate rules with inexact domain matches (such as wildcards, username, or group matches) ordered from most specific to least specific, where the second rule is more permissive. Exploitation requires the attacker to request a URL for the more specific domain where the second segment contains capitalized letters, provided the Envoy ExtAuthz integration is not used and the proxy does not canonicalize the requested host name in the header before sending it to the authorization endpoint.

Recommendations Upgrade to 4.39.20.