CVE-2026-48794
Received Received - Intake
Access Control Bypass in Authelia Due to Domain Canonicalization Flaw

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: GitHub, Inc.

Description
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an access control rule may be skipped when it should match a request. The specific conditions that could lead to a security issue for vulnerability are: 1. The specific target resource of the attack must be using the forwarded authorization integration; 2. The requested domain must have two additional segments compared to a session domain i.e. `a.b.example.com` is requested, but the session domain is `example.com`; 3. There access control rules must specify two separate rules which both contain inexact domain matches such as `*.b.example.com` and `*.example.com` i.e. wildcards, username matches, group matches; 4. The rules must be in order of most specific domain to least specific domain; 5. The second rule must be more permissive than the first rule; 6. The attacker must specifically request a URL for the more specific domain, with the second part containing one or more capitalized letters i.e. `https://a.B.example.com` and no other segment with capitalized letters; 7. The integration used must not be the Envoy ExtAuthz integration; and 8. The proxy must not canonicalize the requested host name in the relevant header before sending it to the relevant authorization endpoint. The kind of configuration used to produce this issue and result in a `bypass` rule being matched has long been highly discouraged. Essentially hosts which should be bypassed entirely should not be secured by having the proxy check them with the authorization handlers. Upgrade to 4.39.20 to receive a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-21
AI Q&A
2026-06-20
EPSS Evaluated
N/A
NVD
CVE-2026-48794
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
authelia authelia From 4.36.0 (inc) to 4.39.19 (inc)
authelia authelia 4.39.20
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Authelia versions 4.36.0 through 4.39.19, an open-source authentication and authorization server. Due to a lack of canonicalization of domains in very specific edge cases, an access control rule may be skipped when it should match a request. This can happen under a complex set of conditions involving the use of forwarded authorization integration, specific domain structures with additional segments, multiple inexact domain match rules ordered from most to least specific, and the presence of capitalized letters in certain parts of the requested domain. If these conditions are met, an attacker could bypass access control rules.

The issue arises because the proxy does not canonicalize the requested host name before sending it to the authorization endpoint, allowing a bypass of the intended access control. The vulnerability is fixed in version 4.39.20.

Impact Analysis

This vulnerability can allow an attacker to bypass access control rules in Authelia under very specific conditions. This means that unauthorized users might gain access to resources that should be protected, potentially exposing sensitive information or allowing unauthorized actions within applications secured by Authelia.

Mitigation Strategies

To mitigate this vulnerability, upgrade Authelia to version 4.39.20 or later, which contains the patch addressing the issue.

Additionally, avoid configurations where hosts that should be bypassed are still checked by the proxy with authorization handlers, as this setup is highly discouraged and can lead to bypasses.

Detection Guidance

This vulnerability arises from very specific configuration conditions in Authelia versions 4.36.0 through 4.39.19 involving domain canonicalization and access control rules. Detection involves verifying if your Authelia deployment matches these conditions.

  • Check the Authelia version to see if it is between 4.36.0 and 4.39.19.
  • Review your access control rules for the presence of two separate rules with inexact domain matches such as '*.b.example.com' and '*.example.com' ordered from most specific to least specific.
  • Verify if the requested domains in your logs include domains with two additional segments compared to the session domain, e.g., 'a.b.example.com' vs 'example.com'.
  • Check if the proxy or authorization integration does not canonicalize the requested host name before authorization.

Since no specific detection commands or tools are provided in the available information, a general approach is to audit configuration files and logs manually. For example, you can use commands like:

  • To check Authelia version: `authelia --version` or check the version in your deployment manifests.
  • To search for access control rules in configuration files: `grep -E '\*\.b\.example\.com|\*\.example\.com' /path/to/authelia/configuration.yml`
  • To analyze logs for suspicious domain requests with capitalized letters in the second segment: `grep -E 'https://[a-zA-Z]+\.[A-Z][a-zA-Z]*\.example\.com' /path/to/authelia/logs.log`

Upgrading Authelia to version 4.39.20 or later is recommended to patch this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48794. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart