{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33525", "tracking": { "current_release_date": "2026-04-02T18:33:08.551681Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33525", "initial_release_date": "2026-03-25T01:00:11.950597Z", "revision_history": [ { "date": "2026-03-25T01:00:11.950597Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-25T01:00:13.932294Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-25T18:12:52.615918Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (2).| Product Identifiers created (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-25T18:12:54.113564Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-26T20:26:52.602474Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-03-26T20:26:55.534485Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-26T20:39:14.385020Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-26T20:39:17.162810Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-27T00:13:44.425145Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (1)." }, { "date": "2026-03-27T20:56:48.082846Z", "number": "10", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-27T20:56:50.601956Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-28T17:05:01.505260Z", "number": "12", "summary": "NCSC Score updated." }, { "date": "2026-03-30T14:40:29.913029Z", "number": "13", "summary": "References created (1)." }, { "date": "2026-03-30T14:40:31.580288Z", "number": "14", "summary": "NCSC Score updated." }, { "date": "2026-03-30T15:39:49.909590Z", "number": "15", "summary": "Unknown change." }, { "date": "2026-04-02T18:25:09.793056Z", "number": "16", "summary": "CVSS created.| Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-04-02T18:25:17.795244Z", "number": "17", "summary": "NCSC Score updated." } ], "status": "interim", "version": "17" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/4.39.15", "product": { "name": "vers:unknown/4.39.15", "product_id": "CSAFPID-5907196", "product_identification_helper": { "cpe": "cpe:2.3:a:authelia:authelia:4.39.15:*:*:*:*:*:*:*", "purl": "pkg:golang/github.com/authelia/authelia/v4@4.39.15" } } }, { "category": "product_version_range", "name": "vers:unknown/>=4.39.15|<4.39.16", "product": { "name": "vers:unknown/>=4.39.15|<4.39.16", "product_id": "CSAFPID-5907197" } } ], "category": "product_name", "name": "Authelia" } ], "category": "vendor", "name": "Authelia" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33525", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" }, "notes": [ { "category": "description", "text": "### Impact\n\n**Official Weighted Severity Rating:** Low\n\nThis exploit is very unlikely to be the case for most users as it requires configuration of the Content Security Policy template value. Below represents a safe value, **_any other value_** other than unconfigured should be **_very carefully evaluated_** regardless of the fix.\n\n```yaml\nserver:\n headers:\n csp_template: ''\n```\n\n```env\nAUTHELIA_SERVER_HEADERS_CSP_TEMPLATE=\n```\n\nProvided the following conditions are met:\n\n1. The Content Security Policy:\n 1. Has been disabled or modified from the entirely safe default value; and\n 2. Has been completely disabled by the Administrator by omitting the header explicitly at the proxy (worst practice); or\n 3. Has been effectively disabled by modifying `script-src` allowing unsafe inline scripts rather than using hashes AND effectively disabled by modifying `connect-src` allowing connections to arbitrary websites.\n2. Authelia is being hosted on a domain that has other applications that can write to the cookie for the Authelia domain.\n3. One of the other applications noted in 2 has an vulnerability that can be exploited to execute malicious javascript with similar requirements to 1.\n4. The attacker can exploit the javascript in 3 to delete the existing `language` cookie scoped to the fully qualified domain name of Authelia with the same site value of `strict` (which is not possible in most scenarios unless the application in 3 has the exact same domain or a subdomain of the Authelia domain).\n5. The attacker can exploit the javascript in 3 to write a new `language` cookie scoped for a domain that Authelia is sent cookies for.\n6. The attacker can get a user to meet the conditions required to execute the javascript in 3.\n7. You are running Authelia 4.39.15.\n\nAn attacker may potentially be able to inject javascript into the Authelia login page. Unless both the `script-src` and `connect-src` directives have been modified it's almost impossible for this to have a meaningful impact. However if both of these are and they are done so without consideration to their potential impact; there is a are situations where this vulnerability could be exploited.\n\nThis is caused to the lack of neutralization of the `langauge` cookie value when rendering the HTML template.\n\nThis vulnerability is likely difficult to discover though fingerprinting due to the way Authelia is designed but it should not be considered impossible. The additional requirement to identify the secondary application is however likely to be significantly harder to identify along side this, but also likely easier to fingerprint.\n\n### Patches\n\nUpgrade to 4.39.16 or Downgrade to 4.39.14.\n\n### Proof of Concept\n\nNo current proof of concept exists that does not require manual manipulation of the browser which is effectively a local attack where all privileges have been compromised without the need for this attack vector (i.e. installation of userscripts or a browser plugin which would be able to compromise any website or web app). There is a decent chance one will exist or certain conditions exist that could lead to the vulnerability being exploitable.\n\nDiscovery of this flaw has prompted an deliberate evaluation of any other potential flaws similar to this which did not yield any results, as well as a deliberate evaluation of best practices in this area which has resulted in a minor tweak to hardening measures. These additional hardening measures should not have any effect (explicit definition of the `script-src` and `connect-src` policies, which are the same value as `default` was previously), but it should theoretically prevent an accidental change in the future degrading the existing security layers we implement.\n\n### Workarounds\n\nThe overwhelming majority of installations will not be affected and no workarounds are necessary. The default value for the Content Security Policy makes exploiting this weakness completely impossible. It's only possible via the deliberate removal of the Content Security Policy or deliberate inclusion of clearly noted unsafe policies.\n\n#### Use the default Content Security Policy\n\nThe default Content Security Policy is completely secure and prevents any third party javascript the browser evaluates against it.\n\n```yaml\nserver:\n headers:\n csp_template: ''\n```\n\nUsing a custom Content Security Policy is a very advanced choice that requires specialist knowledge. The use of `unsafe-inline`, `unsafe-eval`, `unsafe-hashes`, etc. are particularly problematic as they effectively allow arbitrary script execution (if a security policy includes an option that says `unsafe` it's probably a good indication you should not use it).\n\n#### Upgrade or Downgrade\n\nBoth the next version and previous version of Authelia do not have this bug.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-gmfg-3v4q-9qr4.json?alt=media" }, { "category": "description", "text": "### Impact\n\n**Official Weighted Severity Rating:** Low\n\nThis exploit is very unlikely to be the case for most users as it requires configuration of the Content Security Policy template value. Below represents a safe value, **_any other value_** other than unconfigured should be **_very carefully evaluated_** regardless of the fix.\n\n```yaml\nserver:\n headers:\n csp_template: ''\n```\n\n```env\nAUTHELIA_SERVER_HEADERS_CSP_TEMPLATE=\n```\n\nProvided the following conditions are met:\n\n1. The Content Security Policy:\n 1. Has been disabled or modified from the entirely safe default value; and\n 2. Has been completely disabled by the Administrator by omitting the header explicitly at the proxy (worst practice); or\n 3. Has been effectively disabled by modifying `script-src` allowing unsafe inline scripts rather than using hashes AND effectively disabled by modifying `connect-src` allowing connections to arbitrary websites.\n2. Authelia is being hosted on a domain that has other applications that can write to the cookie for the Authelia domain.\n3. One of the other applications noted in 2 has an vulnerability that can be exploited to execute malicious javascript with similar requirements to 1.\n4. The attacker can exploit the javascript in 3 to delete the existing `language` cookie scoped to the fully qualified domain name of Authelia with the same site value of `strict` (which is not possible in most scenarios unless the application in 3 has the exact same domain or a subdomain of the Authelia domain).\n5. The attacker can exploit the javascript in 3 to write a new `language` cookie scoped for a domain that Authelia is sent cookies for.\n6. The attacker can get a user to meet the conditions required to execute the javascript in 3.\n7. You are running Authelia 4.39.15.\n\nAn attacker may potentially be able to inject javascript into the Authelia login page. Unless both the `script-src` and `connect-src` directives have been modified it's almost impossible for this to have a meaningful impact. However if both of these are and they are done so without consideration to their potential impact; there is a are situations where this vulnerability could be exploited.\n\nThis is caused to the lack of neutralization of the `langauge` cookie value when rendering the HTML template.\n\nThis vulnerability is likely difficult to discover though fingerprinting due to the way Authelia is designed but it should not be considered impossible. The additional requirement to identify the secondary application is however likely to be significantly harder to identify along side this, but also likely easier to fingerprint.\n\n### Patches\n\nUpgrade to 4.39.16 or Downgrade to 4.39.14.\n\n### Proof of Concept\n\nNo current proof of concept exists that does not require manual manipulation of the browser which is effectively a local attack where all privileges have been compromised without the need for this attack vector (i.e. installation of userscripts or a browser plugin which would be able to compromise any website or web app). There is a decent chance one will exist or certain conditions exist that could lead to the vulnerability being exploitable.\n\nDiscovery of this flaw has prompted an deliberate evaluation of any other potential flaws similar to this which did not yield any results, as well as a deliberate evaluation of best practices in this area which has resulted in a minor tweak to hardening measures. These additional hardening measures should not have any effect (explicit definition of the `script-src` and `connect-src` policies, which are the same value as `default` was previously), but it should theoretically prevent an accidental change in the future degrading the existing security layers we implement.\n\n### Workarounds\n\nThe overwhelming majority of installations will not be affected and no workarounds are necessary. The default value for the Content Security Policy makes exploiting this weakness completely impossible. It's only possible via the deliberate removal of the Content Security Policy or deliberate inclusion of clearly noted unsafe policies.\n\n#### Use the default Content Security Policy\n\nThe default Content Security Policy is completely secure and prevents any third party javascript the browser evaluates against it.\n\n```yaml\nserver:\n headers:\n csp_template: ''\n```\n\nUsing a custom Content Security Policy is a very advanced choice that requires specialist knowledge. The use of `unsafe-inline`, `unsafe-eval`, `unsafe-hashes`, etc. are particularly problematic as they effectively allow arbitrary script execution (if a security policy includes an option that says `unsafe` it's probably a good indication you should not use it).\n\n#### Upgrade or Downgrade\n\nBoth the next version and previous version of Authelia do not have this bug.", "title": "github - https://api.github.com/advisories/GHSA-gmfg-3v4q-9qr4" }, { "category": "description", "text": "Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In version 4.39.15, an attacker may potentially be able to inject javascript into the Authelia login page if several conditions are met simultaneously. Unless both the `script-src` and `connect-src` directives have been modified it's almost impossible for this to have a meaningful impact. However if both of these are and they are done so without consideration to their potential impact; there is a are situations where this vulnerability could be exploited. This is caused to the lack of neutralization of the `langauge` cookie value when rendering the HTML template. This vulnerability is likely difficult to discover though fingerprinting due to the way Authelia is designed but it should not be considered impossible. The additional requirement to identify the secondary application is however likely to be significantly harder to identify along side this, but also likely easier to fingerprint. Users should upgrade to 4.39.16 or downgrade to 4.39.14 to mitigate the issue. The overwhelming majority of installations will not be affected and no workarounds are necessary. The default value for the Content Security Policy makes exploiting this weakness completely impossible. It's only possible via the deliberate removal of the Content Security Policy or deliberate inclusion of clearly noted unsafe policies.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33525" }, { "category": "description", "text": "Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In version 4.39.15, an attacker may potentially be able to inject javascript into the Authelia login page if several conditions are met simultaneously. Unless both the `script-src` and `connect-src` directives have been modified it's almost impossible for this to have a meaningful impact. However if both of these are and they are done so without consideration to their potential impact; there is a are situations where this vulnerability could be exploited. This is caused to the lack of neutralization of the `langauge` cookie value when rendering the HTML template. This vulnerability is likely difficult to discover though fingerprinting due to the way Authelia is designed but it should not be considered impossible. The additional requirement to identify the secondary application is however likely to be significantly harder to identify along side this, but also likely easier to fingerprint. Users should upgrade to 4.39.16 or downgrade to 4.39.14 to mitigate the issue. The overwhelming majority of installations will not be affected and no workarounds are necessary. The default value for the Content Security Policy makes exploiting this weakness completely impossible. It's only possible via the deliberate removal of the Content Security Policy or deliberate inclusion of clearly noted unsafe policies.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33525.json" }, { "category": "description", "text": "Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting in github.com/authelia/authelia", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4818.json?alt=media" }, { "category": "other", "text": "0.00041", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/S:N/AU:Y/R:U/V:D/RE:L/U:Clear", "title": "CVSSV4" }, { "category": "other", "text": "0.5", "title": "CVSSV4 base score" }, { "category": "other", "text": "4.2", "title": "NCSC Score" }, { "category": "other", "text": "There is product data available from source Cveprojectv5", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, There is exploit data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5907196", "CSAFPID-5907197" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-gmfg-3v4q-9qr4" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-gmfg-3v4q-9qr4.json?alt=media" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33525" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33525.json" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4818.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/authelia/authelia/security/advisories/GHSA-gmfg-3v4q-9qr4" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-gmfg-3v4q-9qr4" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33525" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5907196", "CSAFPID-5907197" ] } ], "title": "CVE-2026-33525" } ] }