Platform
go
Component
github.com/authelia/authelia/v4
Fixed in
4.39.16
4.39.16
CVE-2026-33525 describes a Cross-Site Scripting (XSS) vulnerability within Authelia v4. This vulnerability arises from improper configuration of the Content Security Policy (CSP) template, potentially allowing attackers to inject malicious scripts. Versions of Authelia prior to 4.39.16 are affected. The vulnerability is mitigated by upgrading to version 4.39.16 or carefully reviewing and securing CSP template configurations.
The impact of CVE-2026-33525 hinges on the configuration of the Content Security Policy (CSP) template within Authelia. The vulnerability is only exploitable if the CSP template has been disabled or modified from the default, safe value. If exploited, an attacker could inject malicious JavaScript code into web pages viewed by users, potentially leading to session hijacking, data theft, or defacement of the Authelia interface. The severity is rated as Low, reflecting the requirement for specific, non-standard configurations to be present for exploitation.
CVE-2026-33525 was publicly disclosed on 2026-03-24. There are currently no known public proof-of-concept exploits available. The vulnerability's severity is rated as Low by the NVD, indicating a relatively low probability of exploitation in the wild. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33525 is to upgrade Authelia to version 4.39.16 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, carefully review and secure the CSP template configuration. Ensure the csp_template value is either left unconfigured (using the default safe value) or explicitly set to an approved, secure value. Avoid disabling the CSP entirely. After upgrading, confirm the fix by verifying that the CSP template is correctly configured and that no unauthorized scripts are being injected.
Actualice a la versión 4.39.16 o regrese a la versión 4.39.14 para mitigar la vulnerabilidad XSS. Si no es posible actualizar o degradar, asegúrese de que las directivas `script-src` y `connect-src` de la política de seguridad de contenido (CSP) no se hayan modificado de manera que permitan la ejecución de scripts no confiables. La configuración predeterminada de CSP imposibilita la explotación de esta vulnerabilidad.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33525 is a Cross-Site Scripting (XSS) vulnerability in Authelia v4 affecting versions up to 4.39.15. It arises from misconfigured Content Security Policy (CSP) templates, allowing potential script injection.
You are affected if you are running Authelia v4 versions 4.39.15 or earlier and have modified or disabled the default Content Security Policy (CSP) template.
Upgrade Authelia to version 4.39.16 or later. Alternatively, carefully review and secure your CSP template configuration, ensuring it uses the default safe value or a properly configured alternative.
There are currently no confirmed reports of active exploitation of CVE-2026-33525, but the vulnerability remains a potential risk.
Refer to the official Authelia security advisory for detailed information and updates: [https://github.com/authelia/authelia/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory URL when available)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.