CVE-2026-21620
Received Received - Intake
Relative Path Traversal in Erlang OTP TFTP File Modules

Publication date: 2026-02-20

Last updated on: 2026-04-06

Assigner: EEF

Description
Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftp_file.erl, src/tftp_file.Erl. This issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21620
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
erlang otp From 17.0 (inc)
erlang otp From 5.10 (inc) to 7.0 (exc)
erlang otp From 1.0 (inc)
erlang otp 26.2.5.17
erlang otp 27.3.4.8
erlang otp 28.3.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-21620 is a path traversal vulnerability in the Erlang/OTP TFTP server implementation. It occurs because the TFTP server's default configuration allows clients to access files on the host filesystem without proper restrictions, limited only by the file permissions of the Erlang VM user."}, {'type': 'paragraph', 'content': "This vulnerability allows remote attackers to read or write files outside the intended directory by exploiting the lack of proper isolation or compartmentalization in the TFTP server's file handling modules."}, {'type': 'paragraph', 'content': 'The root cause is that the server concatenates requested file names directly with a root directory path without sanitizing or neutralizing relative path components like "../", enabling directory traversal attacks.'}, {'type': 'paragraph', 'content': 'To fix this, a new option `{root_dir, Dir}` was introduced to restrict file operations to a specified directory and its subdirectories, treating all requested filenames as relative to this root directory and preventing traversal outside it.'}] [2, 4, 5, 6]

Impact Analysis

This vulnerability can allow unauthorized remote users to read or modify files on the host system running the Erlang/OTP TFTP server.

Since the TFTP server runs with the permissions of the Erlang VM user, attackers can access any files that user can read or write, potentially exposing sensitive data or allowing unauthorized changes.

If the TFTP server is exposed to untrusted networks and not properly configured with the `root_dir` restriction, attackers can exploit this flaw to perform directory traversal attacks, leading to information disclosure or data tampering.

Workarounds include restricting file permissions so sensitive files are not accessible by the Erlang VM user, limiting network exposure of the TFTP server, and disabling write access via server options.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves a path traversal issue in the Erlang/OTP TFTP server allowing unauthorized file system access. Detection involves identifying if the TFTP server is running an affected Erlang/OTP version (from OTP 17.0 onwards before patched versions) and if it is reachable from untrusted networks.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or the presence of the vulnerability, monitor network traffic for TFTP requests that include suspicious file paths containing relative path components such as "../" which may indicate path traversal attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network packet capture tools like tcpdump or Wireshark to filter TFTP traffic and inspect filenames in TFTP requests:'}, {'type': 'list_item', 'content': 'tcpdump -i <interface> -nn -s0 -v port 69 and udp'}, {'type': 'list_item', 'content': 'Use Wireshark to filter on "tftp" protocol and examine filenames for path traversal patterns.'}, {'type': 'paragraph', 'content': 'Additionally, check the Erlang/OTP version running on your system to determine if it is vulnerable by running commands to query the OTP version, for example:'}, {'type': 'list_item', 'content': "erl -eval 'erlang:system_info(otp_release).' -s init stop -noshell"}, {'type': 'paragraph', 'content': 'If the version is OTP 17.0 or later but before patched versions (OTP 26.2.5.17, 27.3.4.8, 28.3.2 or later), the system is potentially vulnerable.'}] [5]

Mitigation Strategies

Immediate mitigation steps focus on restricting file system access of the Erlang/OTP TFTP server to prevent unauthorized path traversal.

  • Configure the TFTP server to use the `{root_dir, Dir}` option in the `tftp_file` callback module to restrict all file operations to a specific directory and its subdirectories, effectively sandboxing file access.
  • Ensure that the specified `root_dir` is an absolute path and a valid directory.
  • If possible, upgrade Erlang/OTP to a patched version that includes the fix for CVE-2026-21620, such as OTP 26.2.5.17, 27.3.4.8, 28.3.2 or later.
  • Restrict network exposure of the TFTP server port (UDP 69) to trusted hosts only, using firewall rules or network segmentation.
  • Limit file permissions so that the OS user running the Erlang VM does not have access to sensitive files that should not be exposed via TFTP.
  • Use the `connection_option()` `{reject,write}` to disable write access if write operations are not needed.

These steps collectively reduce the risk of exploitation by confining file access, limiting network reachability, and applying principle of least privilege.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21620. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart