CVE-2026-33525: Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting

Official Weighted Severity Rating: Low

This exploit is very unlikely to be the case for most users as it requires configuration of the Content Security Policy template value. Below represents a safe value, any other value other than unconfigured should be very carefully evaluated regardless of the fix.

server:
headers:
csp_template: ''

AUTHELIA_SERVER_HEADERS_CSP_TEMPLATE=

Provided the following conditions are met:

1. The Content Security Policy:
2. Has been disabled or modified from the entirely safe default value; and
3. Has been completely disabled by the Administrator by omitting the header explicitly at the proxy (worst practice); or
4. Has been effectively disabled by modifying script-src allowing unsafe inline scripts rather than using hashes AND effectively disabled by modifying connect-src allowing connections to arbitrary websites.
5. Authelia is being hosted on a domain that has other applications that can write to the cookie for the Authelia domain.
6. One of the other applications noted in 2 has an vulnerability that can be exploited to execute malicious javascript with similar requirements to 1.
7. The attacker can exploit the javascript in 3 to delete the existing language cookie scoped to the fully qualified domain name of Authelia with the same site value of strict (which is not possible in most scenarios unless the application in 3 has the exact same domain or a subdomain of the Authelia domain).
8. The attacker can exploit the javascript in 3 to write a new language cookie scoped for a domain that Authelia is sent cookies for.
9. The attacker can get a user to meet the conditions required to execute the javascript in 3.
10. You are running Authelia 4.39.15.

An attacker may potentially be able to inject javascript into the Authelia login page. Unless both the script-src and connect-src directives have been modified it’s almost impossible for this to have a meaningful impact. However if both of these are and they are done so without consideration to their potential impact; there is a are situations where this vulnerability could be exploited.

This is caused to the lack of neutralization of the langauge cookie value when rendering the HTML template.

This vulnerability is likely difficult to discover though fingerprinting due to the way Authelia is designed but it should not be considered impossible. The additional requirement to identify the secondary application is however likely to be significantly harder to identify along side this, but also likely easier to fingerprint.