Detections
Analytics

SCA: security update for github.com/authelia/authelia/v4 (GHSA-j748-h363-wqj8)

low Tenable Self-Hosted Container Security Plugin ID 444048

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - Authelia is an open-source authentication and authorization server providing two-factor authentication and
 single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of
 canonicalization of domains in very specific edge cases, an access control rule may be skipped when it
 should match a request. The specific conditions that could lead to a security issue for vulnerability are:
 1. The specific target resource of the attack must be using the forwarded authorization integration; 2.
 The requested domain must have two additional segments compared to a session domain i.e. `a.b.example.com`
 is requested, but the session domain is `example.com`; 3. There access control rules must specify two
 separate rules which both contain inexact domain matches such as `*.b.example.com` and `*.example.com`
 i.e. wildcards, username matches, group matches; 4. The rules must be in order of most specific domain to
 least specific domain; 5. The second rule must be more permissive than the first rule; 6. The attacker
 must specifically request a URL for the more specific domain, with the second part containing one or more
 capitalized letters i.e. `https://a.B.example.com` and no other segment with capitalized letters; 7. The
 integration used must not be the Envoy ExtAuthz integration; and 8. The proxy must not canonicalize the
 requested host name in the relevant header before sending it to the relevant authorization endpoint. The
 kind of configuration used to produce this issue and result in a `bypass` rule being matched has long been
 highly discouraged. Essentially hosts which should be bypassed entirely should not be secured by having
 the proxy check them with the authorization handlers. Upgrade to 4.39.20 to receive a patch.
 (CVE-2026-48794)

Solution

Update the github.com/authelia/authelia/v4 library and its related packages to version 4.39.20 or later.

See Also

https://github.com/advisories/GHSA-j748-h363-wqj8

Plugin Details

Severity: Low

ID: 444048

Version: Revision 1.2

Type: Local

Family: SCA Checks

Published: 6/27/2026

Updated: 6/29/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-48794

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Low

Base Score: 2.3

Threat Score: 1.3

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/26/2026

Vulnerability Publication Date: 6/19/2026

Reference Information

CVE: CVE-2026-48794