Plataforma
go
Componente
github.com/authelia/authelia/v4
Corrigido em
4.39.16
4.39.16
CVE-2026-33525 describes a Cross-Site Scripting (XSS) vulnerability within Authelia v4. This vulnerability arises from improper configuration of the Content Security Policy (CSP) template, potentially allowing attackers to inject malicious scripts. Versions of Authelia prior to 4.39.16 are affected. The vulnerability is mitigated by upgrading to version 4.39.16 or carefully reviewing and securing CSP template configurations.
The impact of CVE-2026-33525 hinges on the configuration of the Content Security Policy (CSP) template within Authelia. The vulnerability is only exploitable if the CSP template has been disabled or modified from the default, safe value. If exploited, an attacker could inject malicious JavaScript code into web pages viewed by users, potentially leading to session hijacking, data theft, or defacement of the Authelia interface. The severity is rated as Low, reflecting the requirement for specific, non-standard configurations to be present for exploitation.
CVE-2026-33525 was publicly disclosed on 2026-03-24. There are currently no known public proof-of-concept exploits available. The vulnerability's severity is rated as Low by the NVD, indicating a relatively low probability of exploitation in the wild. It is not currently listed on the CISA KEV catalog.
Organizations using Authelia v4 with customized Content Security Policy (CSP) templates are at risk. This includes deployments where the CSP has been intentionally modified or disabled, particularly those with non-standard security configurations. Shared hosting environments where Authelia is deployed alongside other applications may also be at increased risk if CSP settings are inadvertently affected.
• linux / server: Examine Authelia configuration files for non-default csp_template values. Use grep to search for modified CSP settings within /etc/authelia/authelia.yaml or similar configuration locations.
grep -r 'csp_template:' /etc/authelia/authelia.yaml• generic web: Monitor Authelia logs for unusual JavaScript execution patterns or CSP violations. Inspect HTTP response headers for unexpected CSP directives. • generic web: Use a web proxy or browser developer tools to inspect the Content Security Policy header and ensure it is properly configured and not allowing inline scripts or other potentially dangerous sources.
disclosure
Status do Exploit
EPSS
0.05% (percentil 15%)
CISA SSVC
The primary mitigation for CVE-2026-33525 is to upgrade Authelia to version 4.39.16 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, carefully review and secure the CSP template configuration. Ensure the csp_template value is either left unconfigured (using the default safe value) or explicitly set to an approved, secure value. Avoid disabling the CSP entirely. After upgrading, confirm the fix by verifying that the CSP template is correctly configured and that no unauthorized scripts are being injected.
Atualize para a versão 4.39.16 ou retorne para a versão 4.39.14 para mitigar a vulnerabilidade XSS. Se não for possível atualizar ou degradar, certifique-se de que as diretivas `script-src` e `connect-src` da política de segurança de conteúdo (CSP) não foram modificadas de forma a permitir a execução de scripts não confiáveis. A configuração padrão de CSP impossibilita a exploração desta vulnerabilidade.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-33525 is a Cross-Site Scripting (XSS) vulnerability in Authelia v4 affecting versions up to 4.39.15. It arises from misconfigured Content Security Policy (CSP) templates, allowing potential script injection.
You are affected if you are running Authelia v4 versions 4.39.15 or earlier and have modified or disabled the default Content Security Policy (CSP) template.
Upgrade Authelia to version 4.39.16 or later. Alternatively, carefully review and secure your CSP template configuration, ensuring it uses the default safe value or a properly configured alternative.
There are currently no confirmed reports of active exploitation of CVE-2026-33525, but the vulnerability remains a potential risk.
Refer to the official Authelia security advisory for detailed information and updates: [https://github.com/authelia/authelia/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory URL when available)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo go.mod e descubra na hora se você está afetado.