Skip to content

authelia

v4.39.20 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 8d Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

2fa authentication docker go kubernetes ldap
+14 more
mfa multifactor oauth2 openid-connect passkeys push-notifications security sso sso-authentication totp two-factor two-factor-authentication webauthn yubikey

Affected surfaces

auth rbac

ReleasePort's take

Moderate signal
editorial:auto 8d

This release fixes critical authentication and authorization bugs in Authelia, including missing username canonicalization for Basic Auth with LDAP and an edge‑case access control rule miss.

Why it matters: Addresses two high‑severity (90) security issues affecting basic auth and access control; operators should upgrade immediately to prevent privilege escalation or unauthorized access.

Summary

AI summary

Updates Bug Fixes, New Contributors, and Docker Container across a mixed release.

Changes in this release

Security Critical

Fixes missing username canonicalization in Basic Auth with LDAP.

Fixes missing username canonicalization in Basic Auth with LDAP.

Source: llm_adapter@2026-05-26

Confidence: high
Security Critical

Fixes edge case access control rule domain miss due to lack of canonicalization.

Fixes edge case access control rule domain miss due to lack of canonicalization.

Source: llm_adapter@2026-05-26

Confidence: high
Bugfix Medium

Fixes incorrect bind mode in authentication.

Fixes incorrect bind mode in authentication.

Source: llm_adapter@2026-05-26

Confidence: high
Bugfix Medium

Fixes oauth2 client credentials being treated as anonymous.

Fixes oauth2 client credentials being treated as anonymous.

Source: llm_adapter@2026-05-26

Confidence: high
Bugfix Medium

Adds default attributes to FreeIPA configuration.

Adds default attributes to FreeIPA configuration.

Source: llm_adapter@2026-05-26

Confidence: high
Bugfix Medium

Preserves dots in map key names during koanf remap.

Preserves dots in map key names during koanf remap.

Source: llm_adapter@2026-05-26

Confidence: high
Bugfix Medium

Adds missing extensions to expression handling.

Adds missing extensions to expression handling.

Source: llm_adapter@2026-05-26

Confidence: high
Bugfix Medium

Ensures unknown bans are measured in metrics.

Ensures unknown bans are measured in metrics.

Source: llm_adapter@2026-05-26

Confidence: high
Bugfix Medium

Hardens one-time code consumption in storage.

Hardens one-time code consumption in storage.

Source: llm_adapter@2026-05-26

Confidence: high
Bugfix Medium

Corrects incorrect query used for auth code by request ID.

Corrects incorrect query used for auth code by request ID.

Source: llm_adapter@2026-05-26

Confidence: high
Full changelog

Security Fixes

This release contains important security fixes. We encourage users to update as soon as practical.

The following advisories accompany this release:

Bug Fixes

  • authentication: incorrect bind mode (#12094) (dc1d1d6) by @james-d-elliott
  • authorization: case-insensitive domain matching [security] (#12169) (b6d1d60) by @james-d-elliott
  • authorization: oauth2 client credentials considered anonymous (#12141) (54de0c9) by @james-d-elliott
  • configuration: add default attributes to freeipa (#12155) (f8203be) by @kaysond
  • configuration: include specific warning about ports (#12145) (033533e) by @james-d-elliott
  • configuration: preserve dots in map key names during koanf remap (#11803) (211a4cd) by @nightah
  • expression: add missing extensions (#11226) (4c7ffd3) by @james-d-elliott
  • handlers: basic auth username canonicalization [security] (#12170) (b8985b5) by @james-d-elliott
  • handlers: hoist issuer checks (#12160) (ab5dca7) by @james-d-elliott
  • metrics: ensure unknown bans are measured (#11999) (3adae90), closes #11972 by @james-d-elliott
  • metrics: go collectors not registered (#11894) (9cd8812) by @james-d-elliott
  • middlewares: add rate limit exclusions (#12159) (17397cd) by @james-d-elliott
  • session: add startup check for backend connectivity (#12157) (8149b6f) by @nightah
  • storage: harden one-time code consumption (#12095) (9dc3eb6) by @james-d-elliott
  • storage: incorrect query used for auth code by req id (#12139) (dc6365d) by @james-d-elliott
  • web: quote peer dependency versions in pnpm-workspace (#12049) (1fb10aa), closes #12032 by @nightah

New Contributors

  • @nicomem made their first contribution in https://github.com/authelia/authelia/pull/11885
  • @TanguyBaudrin made their first contribution in https://github.com/authelia/authelia/pull/11750
  • @turtleinarock made their first contribution in https://github.com/authelia/authelia/pull/11912
  • @rpadovani made their first contribution in https://github.com/authelia/authelia/pull/11720
  • @arylatt made their first contribution in https://github.com/authelia/authelia/pull/11899
  • @dubwoc made their first contribution in https://github.com/authelia/authelia/pull/11933

Docker Container

  • docker pull authelia/authelia:4.39.20
  • docker pull ghcr.io/authelia/authelia:4.39.20

Security Fixes

  • GHSA-j748-h363-wqj8 – Edge Case Access Control Rule Domain Miss Due to Lack of Canonicalization
  • GHSA-hjj4-hfjm-fmrj – Missing Username Canonicalization in Basic Auth when using LDAP
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track authelia

Get notified when new releases ship.

Sign up free

About authelia

The Single Sign-On Multi-Factor portal for web apps, now OpenID Certified™

All releases →

Related context

Beta — feedback welcome: [email protected]