JavaScript Injection Vulnerability in Authelia Login Page by Authelia
CVE-2026-33525

0.5LOW

Key Information:

Vendor: Authelia
Status: Authelia
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-33525?

Authelia, an open-source authentication and authorization server, has a vulnerability in its login page that potentially allows an attacker to inject malicious JavaScript. This occurs if both the script-src and connect-src directives in the Content Security Policy (CSP) are modified, leading to a weak configuration that could permit exploitation. The primary cause is the insufficient neutralization of the language cookie value when rendering the HTML template. Although discovering this vulnerability through fingerprinting may be challenging due to Authelia's design, it could happen with deliberate attempts. To protect against this vulnerability, users are advised to upgrade to version 4.39.16 or revert to version 4.39.14. It's worth noting that most installations are not affected, and no immediate workarounds are necessary; the default CSP setting prevents exploitation in the majority of cases.

Affected Version(s)

authelia = 4.39.15

References

https://github.com/authelia/authelia/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

0.5

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 20, 2026

CVE-2026-33525 Data

JSON