CVE-2026-47203
LowCVSS 2.9Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
Versions of Authelia from 4.38.0 to 4.39.19 have an issue with case sensitivity in usernames during Basic Auth authentication. As a result, different case variations can lead to the creation of separate ban buckets for the same user.
Risk Assessment
Organizations may be exposed to unauthorized access as different username variations can bypass banning mechanisms. This could lead to an increased risk of brute force attacks.
Recommendation
It is recommended to upgrade to version 4.39.20 to apply the patch. Alternatively, the Basic Auth mechanism can be temporarily disabled.
Original NVD description (English source)
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.38.0 through 4.39.19, when a user authenticates via Basic Auth (i.e via the `Authorization` header with the `Basic` scheme) on the authz verification endpoint, Authelia takes the username directly from the `Authorization` header and passes it as is to the regulation system for ban checking and attempt recording. LDAP treats usernames case insensitively : `john`, `John`, and `JOHN` all bind as the same user. But the regulation SQL queries treat the lookup of these values in certain scenarios as case sensitive. This allows each variation of a usernames case to have its own ban bucket. Upgrade to 4.39.20 to receive a patch. As a workaround, explicitly disable the basic auth mechanism.

