CVE-2026-28808
published 2026-04-07CVE-2026-28808: Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.53%
40.7th percentile
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.
When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.
This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.
This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | erlang | < erlang 1:27.3.4.10+dfsg-1 (sid) | erlang 1:27.3.4.10+dfsg-1 (sid) |
| erlang | erlang_inets | < 9.3.2.4 | 9.3.2.4 |
| erlang | erlang_inets | < 9.6.2 | 9.6.2 |
| erlang | erlang_inets | >= 5.10 < 9.1.0.6 | 9.1.0.6 |
| erlang | erlang_otp | >= 17.0 < 26.2.5.19 | 26.2.5.19 |
| erlang | erlang_otp | >= 27.0 < 27.3.4.10 | 27.3.4.10 |
| erlang | erlang_otp | >= 28.0 < 28.4.2 | 28.4.2 |
| erlang | otp | >= 07b8f441ca711f9812fad9e9115bab3c3aa92f79 < * | * |
| erlang | otp | >= 17.0 < * | * |
| erlang | otp | >= 5.10 < * | * |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated HTTP requests to CGI scripts served via script_alias on Erlang OTP inets httpd; the path mismatch means mod_auth evaluates controls against DocumentRoot-relative path while mod_cgi executes at the ScriptAlias-resolved path — monitor for successful CGI responses to unauthenticated requests on paths mapped by script_alias ↗
- →Audit Erlang OTP inets httpd server configurations for use of script_alias pointing outside DocumentRoot combined with directory-based auth rules; vulnerable source files are mod_alias.erl, mod_auth.erl, and mod_cgi.erl ↗
- ·Vulnerability only manifests when script_alias maps a URL prefix to a directory outside DocumentRoot AND directory-based access controls (mod_auth) are configured to protect those CGI scripts; both conditions must be present ↗
- ·Affected OTP versions: OTP 17.0 up to (not including) OTP 28.4.2, 27.3.4.10, and 26.2.5.19; corresponding inets versions 5.10 up to (not including) 9.6.2, 9.3.2.4, and 9.1.0.6 ↗
- ·No mitigation is currently available per Red Hat Product Security criteria; patching to fixed OTP versions is the only remediation ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.3HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.3HIGH
vendor_debian8.3HIGH
vendor_redhat8.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
erlang/otp: inets: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization
vendor_redhat·2026-04-07·CVSS 8.3
CVE-2026-28808 [HIGH] CWE-551 erlang/otp: inets: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization
erlang/otp: inets: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization
A flaw was found in Erlang OTP (inets modules). A remote unauthenticated attacker could exploit an incorrect authorization vulnerability when CGI (Common Gateway Interface) scripts are served via script_alias. This vulnerability arises from a path mismatch where access controls are evaluated against a different path than the script's execution path. This allows unauthorized access to CGI scripts intended to be protected by directory rules, potentially leading to information disclosure or the execution of unauthorized scripts.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteri
Debian
CVE-2026-28808: erlang - Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unaut...
vendor_debian·2026·CVSS 8.3
CVE-2026-28808 [HIGH] CVE-2026-28808: erlang - Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unaut...
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 u
VulDB
Erlang OTP up to 28.4.2 mod_alias.erl script_alias authorization (Nessus ID 305625 / WID-SEC-2026-0998)
vuldb·2026-04-13·CVSS 8.3
CVE-2026-28808 [HIGH] Erlang OTP up to 28.4.2 mod_alias.erl script_alias authorization (Nessus ID 305625 / WID-SEC-2026-0998)
A vulnerability was found in Erlang OTP up to 28.4.2. It has been classified as critical. This affects the function script_alias in the library lib/inets/src/http_server/mod_alias.erl. Performing a manipulation results in incorrect authorization.
This vulnerability is identified as CVE-2026-28808. The attack can be initiated remotely. There is not any exploit available.
OSV
CVE-2026-28808: Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when ser
osv·2026-04-07·CVSS 8.3
CVE-2026-28808 [HIGH] CVE-2026-28808: Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when ser
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 u
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-28808 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-28808 [HIGH] CVE-2026-28808 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28808 :
Linux Debian vulnerability analysis and mitigation
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.
When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.
This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.
This issue affects OTP from OTP 17.0
Bugzilla
CVE-2026-28808 erlang: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization [epel-all]
bugzilla·2026-04-07·CVSS 8.3
CVE-2026-28808 [HIGH] CVE-2026-28808 erlang: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization [epel-all]
CVE-2026-28808 erlang: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-28808 erlang/otp: inets: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization
bugzilla·2026-04-07·CVSS 8.3
CVE-2026-28808 [HIGH] CVE-2026-28808 erlang/otp: inets: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization
CVE-2026-28808 erlang/otp: inets: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.
When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.
This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src
Bugzilla
CVE-2026-28808 erlang: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization [fedora-all]
bugzilla·2026-04-07·CVSS 8.3
CVE-2026-28808 [HIGH] CVE-2026-28808 erlang: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization [fedora-all]
CVE-2026-28808 erlang: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-2a93359b0b (erlang-26.2.5.19-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-2a93359b0b
---
FEDORA-2026-53a7ddccc8 (erlang-26.2.5.19-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-53a7ddccc8
---
FEDORA-2026-dd4a7e240e (erlang-26.2.5.19-1.fc42) has been submitted as an update to Fedora 42.
https://cna.erlef.org/cves/CVE-2026-28808.htmlhttps://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7chttps://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3fhttps://osv.dev/vulnerability/EEF-CVE-2026-28808https://www.erlang.org/doc/system/versions.html#order-of-versionshttps://access.redhat.com/security/cve/CVE-2026-28808https://bugzilla.redhat.com/show_bug.cgi?id=2455909https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-28808.json
2026-04-07
Published