MEDIUMCVE-2021-21335CVSS 5.3

CVE-2021-21335: Authentication Bypass in SPNEGO HTTP Module

Q: What is CVE-2021-21335 — Authentication Bypass in SPNEGO HTTP Module?

CVE-2021-21335 is a vulnerability in the SPNEGO HTTP Authentication Module for nginx that allows attackers to bypass basic authentication using a malformed username, potentially gaining unauthorized access.

Q: Am I affected by CVE-2021-21335 in SPNEGO HTTP Module?

You are affected if you are using the SPNEGO HTTP Authentication Module for nginx in versions 1.1.1 or earlier and have basic authentication enabled.

Q: How do I fix CVE-2021-21335 in SPNEGO HTTP Module?

Upgrade the SPNEGO HTTP Authentication Module to version 1.1.1 or later. As a temporary workaround, disable basic authentication.

Q: Where can I find the official nginx advisory for CVE-2021-21335?

Refer to the nginx security advisory for details: https://mail.nginx.org/archives/announce/2021/Mar/msg00003.html

Platform

nginx

Component

spnego-http-auth-nginx-module

Fixed in

1.1.2

AI Confidence: highNVDEPSS 0.4%Reviewed: May 2026

View on NVD

Save

CVE-2021-21335 describes an authentication bypass vulnerability within the SPNEGO HTTP Authentication Module for nginx. An attacker can bypass basic authentication by crafting a malformed username, potentially leading to unauthorized access. This issue affects versions of the module prior to 1.1.1, and a fix is available in version 1.1.1.

Impact and Attack Scenarios

This vulnerability allows an attacker to bypass basic authentication within the nginx SPNEGO HTTP Authentication Module. By sending a specially crafted username, an attacker can potentially gain access to resources protected by basic authentication without providing valid credentials. The impact is significant as it can lead to unauthorized access to sensitive data or functionality exposed by the web server. This bypass circumvents the intended security controls, allowing attackers to impersonate legitimate users.

Exploitation Context

This CVE was publicly disclosed on March 8, 2021. There are currently no known active exploitation campaigns targeting this vulnerability. No public proof-of-concept exploits have been widely published. The vulnerability is not listed on the CISA KEV catalog at the time of this writing.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.42% (62% percentile)

CVSS Vector

Affected Software

Componentspnego-http-auth-nginx-module

Vendorstnoonan

Affected rangeFixed in

< 1.1.1 – < 1.1.11.1.2

Weakness Classification (CWE)

CWE-287

Timeline

Reserved2020-12-22
Published2021-03-08
Modified2024-08-03
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2021-21335 is to upgrade the SPNEGO HTTP Authentication Module to version 1.1.1 or later. If immediate upgrading is not possible due to compatibility issues or breaking changes, disabling basic authentication is a viable workaround. This prevents the vulnerability from being exploited, although it may impact legitimate users relying on basic authentication. Review nginx configuration to ensure basic authentication is only enabled where absolutely necessary.

How to fix

Update the spnego-http-auth-nginx-module to version 1.1.1 or higher. As an alternative, disable basic authentication.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2021-21335 — Authentication Bypass in SPNEGO HTTP Module?