CVE-2026-33525
Stored XSS in Authelia Login Page via Language Cookie Injection
Publication date: 2026-03-26
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| authelia | authelia | 4.39.15 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33525 is a low-severity Cross-site Scripting (XSS) vulnerability in Authelia version 4.39.15. It occurs because the application does not properly neutralize the value of the "language" cookie when rendering the HTML template on the login page. This can potentially allow an attacker to inject malicious JavaScript into the login page.
However, exploitation requires several strict conditions: the Content Security Policy (CSP) must be deliberately weakened or disabled, specifically both the `script-src` and `connect-src` directives; Authelia must be hosted on a domain shared with other applications that can write cookies for that domain; one of those applications must be vulnerable to executing malicious JavaScript; and the attacker must manipulate cookies and induce a user to execute the malicious script.
Because of these heavy prerequisites and the default secure CSP configuration, exploitation is considered highly unlikely and mostly theoretical.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to execute malicious JavaScript in the context of the Authelia login page, potentially leading to low confidentiality and integrity impacts such as stealing or manipulating user data within that page.
However, the impact is limited due to the complexity of exploitation, the requirement for weakened CSP policies, and the need for a vulnerable adjacent application on the same domain. There is no impact on availability.
Most installations are not affected because the default Content Security Policy prevents exploitation, and no workarounds are necessary if the default CSP is maintained.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability is challenging due to the complex and specific conditions required for exploitation. It involves checking if the Authelia login page is running version 4.39.15 and whether the Content Security Policy (CSP) has been deliberately weakened or modified from its secure default.
To detect potential exposure, you can verify the Authelia version and inspect the CSP headers on the login page.
- Check Authelia version by querying the application or reviewing deployment manifests.
- Use curl or similar tools to inspect HTTP response headers for CSP settings, for example:
- curl -I https://your-authelia-domain/login | grep -i Content-Security-Policy
- Look for presence or absence of 'script-src' and 'connect-src' directives and whether unsafe directives like 'unsafe-inline' or 'unsafe-eval' are included.
Additionally, fingerprinting the presence of other applications on the same domain that can write cookies and checking for any vulnerable adjacent applications is necessary but significantly more complex and not easily automated.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading or downgrading Authelia to a safe version and ensuring the Content Security Policy is not weakened.
- Upgrade Authelia to version 4.39.16 or downgrade to 4.39.14, both of which do not contain this vulnerability.
- Maintain the default secure Content Security Policy configuration, which disallows unsafe inline scripts and arbitrary connections.
- Avoid custom CSP policies that include unsafe directives such as 'unsafe-inline', 'unsafe-eval', or 'unsafe-hashes'.
Since the vulnerability requires deliberate weakening of CSP and specific conditions involving other applications on the same domain, ensuring these conditions are not met effectively prevents exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Authelia version 4.39.15 involves potential Cross-site Scripting (XSS) due to improper neutralization of the language cookie value when rendering HTML templates. However, exploitation requires deliberate weakening of Content Security Policy (CSP) and several complex conditions, making it highly unlikely.
Because the vulnerability could theoretically allow injection of malicious scripts, if exploited it might lead to unauthorized access or data exposure, which could impact compliance with standards like GDPR or HIPAA that require protection of personal and sensitive data.
Nonetheless, the default secure CSP configuration in Authelia prevents exploitation, and most installations are unaffected unless CSP is deliberately weakened. Therefore, maintaining secure CSP settings and upgrading to a fixed version mitigates the risk and helps maintain compliance with common data protection regulations.