cbcvebase.
CVE-2026-28808
published 2026-04-07

CVE-2026-28808: Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.53%
40.7th percentile
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.

Affected

10 ranges
VendorProductVersion rangeFixed in
debianerlang< erlang 1:27.3.4.10+dfsg-1 (sid)erlang 1:27.3.4.10+dfsg-1 (sid)
erlangerlang_inets< 9.3.2.49.3.2.4
erlangerlang_inets< 9.6.29.6.2
erlangerlang_inets>= 5.10 < 9.1.0.69.1.0.6
erlangerlang_otp>= 17.0 < 26.2.5.1926.2.5.19
erlangerlang_otp>= 27.0 < 27.3.4.1027.3.4.10
erlangerlang_otp>= 28.0 < 28.4.228.4.2
erlangotp>= 07b8f441ca711f9812fad9e9115bab3c3aa92f79 < **
erlangotp>= 17.0 < **
erlangotp>= 5.10 < **

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unauthenticated HTTP requests to CGI scripts served via script_alias on Erlang OTP inets httpd; the path mismatch means mod_auth evaluates controls against DocumentRoot-relative path while mod_cgi executes at the ScriptAlias-resolved path — monitor for successful CGI responses to unauthenticated requests on paths mapped by script_alias
  • Audit Erlang OTP inets httpd server configurations for use of script_alias pointing outside DocumentRoot combined with directory-based auth rules; vulnerable source files are mod_alias.erl, mod_auth.erl, and mod_cgi.erl
  • ·Vulnerability only manifests when script_alias maps a URL prefix to a directory outside DocumentRoot AND directory-based access controls (mod_auth) are configured to protect those CGI scripts; both conditions must be present
  • ·Affected OTP versions: OTP 17.0 up to (not including) OTP 28.4.2, 27.3.4.10, and 26.2.5.19; corresponding inets versions 5.10 up to (not including) 9.6.2, 9.3.2.4, and 9.1.0.6
  • ·No mitigation is currently available per Red Hat Product Security criteria; patching to fixed OTP versions is the only remediation

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.3HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.3HIGH
vendor_debian8.3HIGH
vendor_redhat8.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.