CVE-2026-33525 Overview
CVE-2026-33525 is a Cross-Site Scripting (XSS) vulnerability in Authelia, an open-source authentication and authorization server that provides two-factor authentication and single sign-on (SSO) for applications via a web portal. In version 4.39.15, an attacker may potentially inject JavaScript into the Authelia login page if several conditions are met simultaneously. The vulnerability stems from insufficient neutralization of the language cookie value when rendering the HTML template.
Critical Impact
While classified as low severity, this XSS vulnerability could potentially allow attackers to execute malicious JavaScript in the context of authenticated user sessions if Content Security Policy (CSP) protections have been deliberately weakened or removed.
Affected Products
- Authelia version 4.39.15
- Installations with modified script-src CSP directive
- Installations with modified connect-src CSP directive
Discovery Timeline
- 2026-03-26 - CVE-2026-33525 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33525
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The root issue lies in how Authelia processes the language cookie value during HTML template rendering on the login page. When this cookie value is not properly sanitized, an attacker can craft a malicious cookie payload that injects JavaScript code into the rendered page.
However, exploitation requires specific conditions to be met. The default Authelia Content Security Policy configuration makes exploitation completely impossible. An attacker would need to identify both a vulnerable Authelia instance and understand the secondary application configuration, which significantly increases the difficulty of successful exploitation.
Root Cause
The vulnerability is caused by the lack of neutralization of the language cookie value when rendering the HTML template. When Authelia processes user requests and builds the login page, it incorporates the language preference from the cookie without adequate input validation or output encoding. This allows specially crafted cookie values containing JavaScript payloads to be reflected directly into the page's HTML content.
Attack Vector
The attack requires adjacent network access and involves multiple prerequisites for successful exploitation:
- The target Authelia installation must be running version 4.39.15
- The administrator must have modified the default Content Security Policy, specifically weakening both the script-src and connect-src directives
- The attacker must be able to set or manipulate the victim's language cookie
- User interaction is required for the attack to succeed
The vulnerability is difficult to fingerprint due to Authelia's design, though not impossible. Identifying vulnerable secondary application configurations presents an additional challenge for attackers.
The attack mechanism involves crafting a malicious language cookie value containing JavaScript code that bypasses weakened CSP protections. When the victim's browser loads the Authelia login page, the unsanitized cookie value is rendered into the HTML, causing the malicious script to execute. For technical details, see the GitHub Security Advisory.
Detection Methods for CVE-2026-33525
Indicators of Compromise
- Unusual or malformed values in the language cookie containing script tags or JavaScript event handlers
- Unexpected JavaScript execution attempts blocked by Content Security Policy in browser console logs
- Anomalous HTTP requests to the Authelia login page with suspicious cookie headers
Detection Strategies
- Monitor web application firewall (WAF) logs for XSS patterns in cookie headers targeting Authelia endpoints
- Implement browser-side CSP violation reporting to detect exploitation attempts
- Review Authelia access logs for unusual patterns in requests to the login page with malformed language cookie values
Monitoring Recommendations
- Enable CSP violation reporting by configuring the report-uri or report-to directive in your Content Security Policy
- Monitor authentication logs for anomalous login page access patterns
- Implement alerting on any modifications to CSP configuration in your reverse proxy or Authelia settings
How to Mitigate CVE-2026-33525
Immediate Actions Required
- Verify your Authelia installation is not running version 4.39.15
- Review your Content Security Policy configuration to ensure default protections are in place
- Audit any customizations made to script-src and connect-src directives
- Upgrade to Authelia version 4.39.16 or downgrade to version 4.39.14
Patch Information
The Authelia development team has addressed this vulnerability in version 4.39.16. Users should upgrade to this version to receive the security fix. Alternatively, users can downgrade to version 4.39.14, which does not contain the vulnerable code. For complete patch details and upgrade instructions, refer to the GitHub Security Advisory.
Workarounds
- Ensure the default Content Security Policy remains intact and unmodified
- Do not remove or weaken the script-src directive in your CSP configuration
- Avoid using unsafe-inline or unsafe-eval in Content Security Policy directives
- The overwhelming majority of installations are not affected and no workarounds are necessary if default CSP is maintained
# Verify Authelia version and upgrade
docker pull authelia/authelia:4.39.16
# Or using package manager
apt update && apt install authelia=4.39.16
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
