CVE-2026-47203

Source
https://cve.org/CVERecord?id=CVE-2026-47203
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47203.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-47203
Aliases
Published
2026-06-19T20:19:47.903Z
Modified
2026-07-08T08:13:39.689117093Z
Severity
  • 2.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Authelia Missing Username Canonicalization in Basic Auth (LDAP)
Details

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.38.0 through 4.39.19, when a user authenticates via Basic Auth (i.e via the Authorization header with the Basic scheme) on the authz verification endpoint, Authelia takes the username directly from the Authorization header and passes it as is to the regulation system for ban checking and attempt recording. LDAP treats usernames case insensitively : john, John, and JOHN all bind as the same user. But the regulation SQL queries treat the lookup of these values in certain scenarios as case sensitive. This allows each variation of a usernames case to have its own ban bucket. Upgrade to 4.39.20 to receive a patch. As a workaround, explicitly disable the basic auth mechanism.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47203.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-178",
        "CWE-307"
    ]
}
References

Affected packages

Git / github.com/authelia/authelia

Affected ranges

Type
GIT
Repo
https://github.com/authelia/authelia
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "4.38.0"
        },
        {
            "fixed": "4.39.20"
        }
    ]
}

Affected versions

v4.*
v4.38.0
v4.38.1
v4.38.10
v4.38.11
v4.38.12
v4.38.13
v4.38.14
v4.38.15
v4.38.16
v4.38.17
v4.38.18
v4.38.19
v4.38.2
v4.38.3
v4.38.4
v4.38.5
v4.38.6
v4.38.7
v4.38.8
v4.38.9
v4.39.0
v4.39.1
v4.39.10
v4.39.11
v4.39.12
v4.39.13
v4.39.14
v4.39.15
v4.39.16
v4.39.17
v4.39.18
v4.39.19
v4.39.2
v4.39.3
v4.39.4
v4.39.5
v4.39.6
v4.39.7
v4.39.8
v4.39.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47203.json"