Plattform
go
Komponente
github.com/authelia/authelia/v4
Behoben in
4.39.16
4.39.16
CVE-2026-33525 describes a Cross-Site Scripting (XSS) vulnerability within Authelia v4. This vulnerability arises from improper configuration of the Content Security Policy (CSP) template, potentially allowing attackers to inject malicious scripts. Versions of Authelia prior to 4.39.16 are affected. The vulnerability is mitigated by upgrading to version 4.39.16 or carefully reviewing and securing CSP template configurations.
The impact of CVE-2026-33525 hinges on the configuration of the Content Security Policy (CSP) template within Authelia. The vulnerability is only exploitable if the CSP template has been disabled or modified from the default, safe value. If exploited, an attacker could inject malicious JavaScript code into web pages viewed by users, potentially leading to session hijacking, data theft, or defacement of the Authelia interface. The severity is rated as Low, reflecting the requirement for specific, non-standard configurations to be present for exploitation.
CVE-2026-33525 was publicly disclosed on 2026-03-24. There are currently no known public proof-of-concept exploits available. The vulnerability's severity is rated as Low by the NVD, indicating a relatively low probability of exploitation in the wild. It is not currently listed on the CISA KEV catalog.
Organizations using Authelia v4 with customized Content Security Policy (CSP) templates are at risk. This includes deployments where the CSP has been intentionally modified or disabled, particularly those with non-standard security configurations. Shared hosting environments where Authelia is deployed alongside other applications may also be at increased risk if CSP settings are inadvertently affected.
• linux / server: Examine Authelia configuration files for non-default csp_template values. Use grep to search for modified CSP settings within /etc/authelia/authelia.yaml or similar configuration locations.
grep -r 'csp_template:' /etc/authelia/authelia.yaml• generic web: Monitor Authelia logs for unusual JavaScript execution patterns or CSP violations. Inspect HTTP response headers for unexpected CSP directives. • generic web: Use a web proxy or browser developer tools to inspect the Content Security Policy header and ensure it is properly configured and not allowing inline scripts or other potentially dangerous sources.
disclosure
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-33525 is to upgrade Authelia to version 4.39.16 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, carefully review and secure the CSP template configuration. Ensure the csp_template value is either left unconfigured (using the default safe value) or explicitly set to an approved, secure value. Avoid disabling the CSP entirely. After upgrading, confirm the fix by verifying that the CSP template is correctly configured and that no unauthorized scripts are being injected.
Actualice a la versión 4.39.16 o regrese a la versión 4.39.14 para mitigar la vulnerabilidad XSS. Si no es posible actualizar o degradar, asegúrese de que las directivas `script-src` y `connect-src` de la política de seguridad de contenido (CSP) no se hayan modificado de manera que permitan la ejecución de scripts no confiables. La configuración predeterminada de CSP imposibilita la explotación de esta vulnerabilidad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33525 is a Cross-Site Scripting (XSS) vulnerability in Authelia v4 affecting versions up to 4.39.15. It arises from misconfigured Content Security Policy (CSP) templates, allowing potential script injection.
You are affected if you are running Authelia v4 versions 4.39.15 or earlier and have modified or disabled the default Content Security Policy (CSP) template.
Upgrade Authelia to version 4.39.16 or later. Alternatively, carefully review and secure your CSP template configuration, ensuring it uses the default safe value or a properly configured alternative.
There are currently no confirmed reports of active exploitation of CVE-2026-33525, but the vulnerability remains a potential risk.
Refer to the official Authelia security advisory for detailed information and updates: [https://github.com/authelia/authelia/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory URL when available)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.