CVE Catalog

CVE-2026-28808

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.53%

41th percentile — higher than 41% of all known CVEs

Summary

An incorrect authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. The path mismatch between mod_auth and mod_cgi evaluation enables bypassing access controls.

Risk Assessment

The organization is at risk of unauthorized access to CGI scripts intended to be protected by directory rules, potentially leading to sensitive data disclosure or unauthorized server operations.

Recommendation

Update Erlang OTP to version 28.4.2, 27.3.4.10, or 26.2.5.19 (or later) depending on the branch in use. For environments where patching is not possible, review script_alias configuration and directory access rules.

Original NVD description (English source)

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS