Authelia vulnerable to an authentication bypassed with malformed request URI on nginx

The primary impact of CVE-2021-32637 lies in the potential for unauthorized access. Attackers can bypass Authelia's authentication mechanism by manipulating HTTP requests, effectively gaining access to protected resources without proper credentials. This could lead to data breaches, account compromise, and potential system takeover. The vulnerability's reliance on the ngxhttpauthrequestmodule means that environments using this configuration are particularly at risk. While the description notes potential impact on other proxy servers, the focus is on nginx due to its widespread support and use with Authelia.

Organizations utilizing Authelia v4 in conjunction with nginx's ngxhttpauthrequestmodule are at risk. This includes environments relying on Authelia for single sign-on (SSO) or multi-factor authentication (MFA) for web applications. Shared hosting environments where nginx configuration is managed by the hosting provider are also potentially vulnerable, as they may be using the affected configuration without explicit awareness.

• linux / server: Monitor nginx access logs for unusual HTTP request patterns, particularly those containing malformed URI paths. Use journalctl -u nginx to check for errors related to authentication requests.

 grep -i 'auth_request' /var/log/nginx/access.log | grep -i 'malformed'

• generic web: Use curl to test authentication endpoints with crafted requests containing unusual characters or URI structures. Examine response headers for unexpected behavior.

curl -v --url 'https://your-authelia-protected-site/some-protected-resource?param=';

1. 2021-12-20Disclosure

   disclosure

1. Gereserveerd2021-05-12
2. Gepubliceerd2021-12-20
3. Gewijzigd2026-03-13
4. EPSS bijgewerkt2026-04-02

The recommended mitigation for CVE-2021-32637 is to upgrade Authelia to version 4.29.3 or later. This version includes a direct fix for the vulnerability. If upgrading is not immediately feasible, the Authelia team provides a git patch for version 4.25.1 that can be applied as a temporary workaround. Carefully review the patch instructions and test thoroughly in a non-production environment before deploying to production. Consider implementing stricter input validation on the nginx side to further reduce the attack surface. After upgrade, confirm authentication bypass protection by attempting to access protected resources with crafted HTTP requests.