CVE-2026-28808
Published:April 07, 2026
Updated:April 20, 2026
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.
When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.
This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.
This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.
Affected Packages
https://github.com/erlang/otp.git (GITHUB):
Affected version(s) >=OTP-17.0 <OTP-26.2.5.19Fix Suggestion:
Update to version OTP-26.2.5.19https://github.com/erlang/otp.git (GITHUB):
Affected version(s) >=OTP-27.0 <OTP-27.3.4.10Fix Suggestion:
Update to version OTP-27.3.4.10https://github.com/erlang/otp.git (GITHUB):
Affected version(s) >=OTP-28.0 <OTP-28.4.2Fix Suggestion:
Update to version OTP-28.4.2Related Resources (6)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.2
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Incorrect Authorization
