CVE-2026-28808 — Incorrect Authorization in OTP
Severity
8.3HIGHNVD
EPSS
0.1%
top 80.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 7
Latest updateApr 13
Description
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.
When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant …
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Affected Packages1 packages
🔴Vulnerability Details
3VulDB▶
Erlang OTP up to 28.4.2 mod_alias.erl script_alias authorization (Nessus ID 305625 / WID-SEC-2026-0998)↗2026-04-13
OSV▶
CVE-2026-28808: Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when ser↗2026-04-07
CVEList▶
ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)↗2026-04-07
📋Vendor Advisories
2🕵️Threat Intelligence
1💬Community
3Bugzilla▶
CVE-2026-28808 erlang: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization [epel-all]↗2026-04-07
Bugzilla▶
CVE-2026-28808 erlang/otp: inets: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization↗2026-04-07
Bugzilla▶
CVE-2026-28808 erlang: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization [fedora-all]↗2026-04-07