CVE-2026-33525: XSS in Authelia v4
Platform
go
Component
github.com/authelia/authelia/v4
Fixed in
4.39.16
4.39.16
CVE-2026-33525 describes a Cross-Site Scripting (XSS) vulnerability within Authelia v4. This vulnerability arises from improper configuration of the Content Security Policy (CSP) template, potentially allowing attackers to inject malicious scripts. Versions of Authelia prior to 4.39.16 are affected. The vulnerability is mitigated by upgrading to version 4.39.16 or carefully reviewing and securing CSP template configurations.
Detect this CVE in your project
Upload your go.mod file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The impact of CVE-2026-33525 hinges on the configuration of the Content Security Policy (CSP) template within Authelia. The vulnerability is only exploitable if the CSP template has been disabled or modified from the default, safe value. If exploited, an attacker could inject malicious JavaScript code into web pages viewed by users, potentially leading to session hijacking, data theft, or defacement of the Authelia interface. The severity is rated as Low, reflecting the requirement for specific, non-standard configurations to be present for exploitation.
Exploitation Context
CVE-2026-33525 was publicly disclosed on 2026-03-24. There are currently no known public proof-of-concept exploits available. The vulnerability's severity is rated as Low by the NVD, indicating a relatively low probability of exploitation in the wild. It is not currently listed on the CISA KEV catalog.
Threat Intelligence
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-33525 is to upgrade Authelia to version 4.39.16 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, carefully review and secure the CSP template configuration. Ensure the csp_template value is either left unconfigured (using the default safe value) or explicitly set to an approved, secure value. Avoid disabling the CSP entirely. After upgrading, confirm the fix by verifying that the CSP template is correctly configured and that no unauthorized scripts are being injected.
How to fix
Actualice a la versión 4.39.16 o regrese a la versión 4.39.14 para mitigar la vulnerabilidad XSS. Si no es posible actualizar o degradar, asegúrese de que las directivas `script-src` y `connect-src` de la política de seguridad de contenido (CSP) no se hayan modificado de manera que permitan la ejecución de scripts no confiables. La configuración predeterminada de CSP imposibilita la explotación de esta vulnerabilidad.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-33525 — XSS in Authelia v4?
CVE-2026-33525 is a Cross-Site Scripting (XSS) vulnerability in Authelia v4 affecting versions up to 4.39.15. It arises from misconfigured Content Security Policy (CSP) templates, allowing potential script injection.
Am I affected by CVE-2026-33525 in Authelia v4?
You are affected if you are running Authelia v4 versions 4.39.15 or earlier and have modified or disabled the default Content Security Policy (CSP) template.
How do I fix CVE-2026-33525 in Authelia v4?
Upgrade Authelia to version 4.39.16 or later. Alternatively, carefully review and secure your CSP template configuration, ensuring it uses the default safe value or a properly configured alternative.
Is CVE-2026-33525 being actively exploited?
There are currently no confirmed reports of active exploitation of CVE-2026-33525, but the vulnerability remains a potential risk.
Where can I find the official Authelia advisory for CVE-2026-33525?
Refer to the official Authelia security advisory for detailed information and updates: [https://github.com/authelia/authelia/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory URL when available)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.