CVE-2026-21620
Relative Path Traversal in Erlang OTP TFTP File Modules
Publication date: 2026-02-20
Last updated on: 2026-04-06
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| erlang | otp | From 17.0 (inc) |
| erlang | otp | From 5.10 (inc) to 7.0 (exc) |
| erlang | otp | From 1.0 (inc) |
| erlang | otp | 26.2.5.17 |
| erlang | otp | 27.3.4.8 |
| erlang | otp | 28.3.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-21620 is a path traversal vulnerability in the Erlang/OTP TFTP server implementation. It occurs because the TFTP server's default configuration allows clients to access files on the host filesystem without proper restrictions, limited only by the file permissions of the Erlang VM user."}, {'type': 'paragraph', 'content': "This vulnerability allows remote attackers to read or write files outside the intended directory by exploiting the lack of proper isolation or compartmentalization in the TFTP server's file handling modules."}, {'type': 'paragraph', 'content': 'The root cause is that the server concatenates requested file names directly with a root directory path without sanitizing or neutralizing relative path components like "../", enabling directory traversal attacks.'}, {'type': 'paragraph', 'content': 'To fix this, a new option `{root_dir, Dir}` was introduced to restrict file operations to a specified directory and its subdirectories, treating all requested filenames as relative to this root directory and preventing traversal outside it.'}] [2, 4, 5, 6]
How can this vulnerability impact me? :
This vulnerability can allow unauthorized remote users to read or modify files on the host system running the Erlang/OTP TFTP server.
Since the TFTP server runs with the permissions of the Erlang VM user, attackers can access any files that user can read or write, potentially exposing sensitive data or allowing unauthorized changes.
If the TFTP server is exposed to untrusted networks and not properly configured with the `root_dir` restriction, attackers can exploit this flaw to perform directory traversal attacks, leading to information disclosure or data tampering.
Workarounds include restricting file permissions so sensitive files are not accessible by the Erlang VM user, limiting network exposure of the TFTP server, and disabling write access via server options.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves a path traversal issue in the Erlang/OTP TFTP server allowing unauthorized file system access. Detection involves identifying if the TFTP server is running an affected Erlang/OTP version (from OTP 17.0 onwards before patched versions) and if it is reachable from untrusted networks.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or the presence of the vulnerability, monitor network traffic for TFTP requests that include suspicious file paths containing relative path components such as "../" which may indicate path traversal attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network packet capture tools like tcpdump or Wireshark to filter TFTP traffic and inspect filenames in TFTP requests:'}, {'type': 'list_item', 'content': 'tcpdump -i <interface> -nn -s0 -v port 69 and udp'}, {'type': 'list_item', 'content': 'Use Wireshark to filter on "tftp" protocol and examine filenames for path traversal patterns.'}, {'type': 'paragraph', 'content': 'Additionally, check the Erlang/OTP version running on your system to determine if it is vulnerable by running commands to query the OTP version, for example:'}, {'type': 'list_item', 'content': "erl -eval 'erlang:system_info(otp_release).' -s init stop -noshell"}, {'type': 'paragraph', 'content': 'If the version is OTP 17.0 or later but before patched versions (OTP 26.2.5.17, 27.3.4.8, 28.3.2 or later), the system is potentially vulnerable.'}] [5]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps focus on restricting file system access of the Erlang/OTP TFTP server to prevent unauthorized path traversal.
- Configure the TFTP server to use the `{root_dir, Dir}` option in the `tftp_file` callback module to restrict all file operations to a specific directory and its subdirectories, effectively sandboxing file access.
- Ensure that the specified `root_dir` is an absolute path and a valid directory.
- If possible, upgrade Erlang/OTP to a patched version that includes the fix for CVE-2026-21620, such as OTP 26.2.5.17, 27.3.4.8, 28.3.2 or later.
- Restrict network exposure of the TFTP server port (UDP 69) to trusted hosts only, using firewall rules or network segmentation.
- Limit file permissions so that the OS user running the Erlang VM does not have access to sensitive files that should not be exposed via TFTP.
- Use the `connection_option()` `{reject,write}` to disable write access if write operations are not needed.
These steps collectively reduce the risk of exploitation by confining file access, limiting network reachability, and applying principle of least privilege.