CVE-2026-28808
Awaiting Analysis Awaiting Analysis - Queue
Incorrect Authorization in Erlang OTP Inets Allows Unauthenticated CGI Access

Publication date: 2026-04-07

Last updated on: 2026-04-23

Assigner: EEF

Description
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28808
EUVD
EUVD-2026-19602
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
erlang erlang/otp From 17.0 (inc) to 26.2.5.19 (exc)
erlang erlang/otp From 27.0 (inc) to 27.3.4.10 (exc)
erlang erlang/otp From 28.0 (inc) to 28.4.2 (exc)
erlang erlang/inets From 5.10 (inc) to 9.1.0.6 (exc)
erlang erlang/inets From 9.2 (exc) to 9.3.2.4 (exc)
erlang erlang/inets From 9.4 (exc) to 9.6.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28808 is an Incorrect Authorization vulnerability in the Erlang OTP inets HTTP server modules. It occurs when the script_alias directive maps a URL prefix to a directory outside the DocumentRoot, causing a path mismatch between mod_auth and mod_cgi modules. Specifically, mod_auth applies directory-based access controls relative to the DocumentRoot path, while mod_cgi executes CGI scripts based on the ScriptAlias-resolved filesystem path. This mismatch allows unauthenticated users to access CGI scripts that should be protected by directory access rules.

The vulnerability affects Erlang OTP versions from 17.0 up to 28.4.2 and corresponding inets module versions. It involves source files mod_alias.erl, mod_auth.erl, and mod_cgi.erl.

Compliance Impact

This vulnerability allows unauthenticated access to CGI scripts that were intended to be protected by directory-based access controls. Such unauthorized access can lead to exposure of sensitive information or unauthorized actions on the affected server.

Because the vulnerability enables bypassing authentication controls and potentially exposing confidential data, it can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Organizations using affected Erlang OTP versions with the vulnerable configuration may fail to meet these regulatory requirements unless mitigations or patches are applied.

Impact Analysis

This vulnerability allows remote attackers to bypass authentication controls and gain unauthenticated access to CGI scripts that are intended to be protected by directory-based access rules. As a result, attackers can execute CGI scripts without proper authorization.

The impact includes potential exposure of sensitive information and unauthorized actions on the affected server. The CVSS 4.0 base score is 8.3 (High), indicating a serious security risk with high confidentiality impact and low integrity impact.

  • Attackers can remotely access protected CGI scripts without credentials.
  • Sensitive data handled by CGI scripts may be exposed.
  • Unauthorized execution of scripts could lead to further compromise.
Detection Guidance

Detection of this vulnerability involves verifying if your Erlang OTP inets HTTP server is using the script_alias directive to map URL prefixes to directories outside the DocumentRoot, combined with directory-based access controls configured via mod_auth.

You should check your server configuration files for the presence of script_alias directives pointing outside the DocumentRoot and confirm if mod_auth is applied to those directories.

Additionally, testing access to CGI scripts under these script_alias paths without authentication can help detect if unauthorized access is possible.

For example, you can use HTTP client commands like curl to attempt accessing CGI scripts under the script_alias URL prefix without credentials and observe if access is granted (HTTP 200) or denied (HTTP 401).

  • curl -i http://yourserver/script_alias_path/cgi_script
  • curl -i -u validuser:validpassword http://yourserver/script_alias_path/cgi_script
  • curl -i -u invaliduser:invalidpassword http://yourserver/script_alias_path/cgi_script

If the first command returns HTTP 200 without authentication, it indicates the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include:

  • Move CGI scripts inside the DocumentRoot and use Alias instead of ScriptAlias to ensure mod_auth correctly applies directory-based access controls.
  • Apply URL-based access controls at a reverse proxy to block unauthenticated access to ScriptAlias URL prefixes.
  • Remove mod_cgi from the HTTP server modules if CGI functionality is not required.

Additionally, upgrading to patched versions of Erlang OTP and inets modules where this vulnerability is fixed is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28808. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart