CVE-2026-28808
Incorrect Authorization in Erlang OTP Inets Allows Unauthenticated CGI Access
Publication date: 2026-04-07
Last updated on: 2026-04-23
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| erlang | erlang/otp | From 17.0 (inc) to 26.2.5.19 (exc) |
| erlang | erlang/otp | From 27.0 (inc) to 27.3.4.10 (exc) |
| erlang | erlang/otp | From 28.0 (inc) to 28.4.2 (exc) |
| erlang | erlang/inets | From 5.10 (inc) to 9.1.0.6 (exc) |
| erlang | erlang/inets | From 9.2 (exc) to 9.3.2.4 (exc) |
| erlang | erlang/inets | From 9.4 (exc) to 9.6.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated access to CGI scripts that were intended to be protected by directory-based access controls. Such unauthorized access can lead to exposure of sensitive information or unauthorized actions on the affected server.
Because the vulnerability enables bypassing authentication controls and potentially exposing confidential data, it can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.
Organizations using affected Erlang OTP versions with the vulnerable configuration may fail to meet these regulatory requirements unless mitigations or patches are applied.
Can you explain this vulnerability to me?
CVE-2026-28808 is an Incorrect Authorization vulnerability in the Erlang OTP inets HTTP server modules. It occurs when the script_alias directive maps a URL prefix to a directory outside the DocumentRoot, causing a path mismatch between mod_auth and mod_cgi modules. Specifically, mod_auth applies directory-based access controls relative to the DocumentRoot path, while mod_cgi executes CGI scripts based on the ScriptAlias-resolved filesystem path. This mismatch allows unauthenticated users to access CGI scripts that should be protected by directory access rules.
The vulnerability affects Erlang OTP versions from 17.0 up to 28.4.2 and corresponding inets module versions. It involves source files mod_alias.erl, mod_auth.erl, and mod_cgi.erl.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to bypass authentication controls and gain unauthenticated access to CGI scripts that are intended to be protected by directory-based access rules. As a result, attackers can execute CGI scripts without proper authorization.
The impact includes potential exposure of sensitive information and unauthorized actions on the affected server. The CVSS 4.0 base score is 8.3 (High), indicating a serious security risk with high confidentiality impact and low integrity impact.
- Attackers can remotely access protected CGI scripts without credentials.
- Sensitive data handled by CGI scripts may be exposed.
- Unauthorized execution of scripts could lead to further compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying if your Erlang OTP inets HTTP server is using the script_alias directive to map URL prefixes to directories outside the DocumentRoot, combined with directory-based access controls configured via mod_auth.
You should check your server configuration files for the presence of script_alias directives pointing outside the DocumentRoot and confirm if mod_auth is applied to those directories.
Additionally, testing access to CGI scripts under these script_alias paths without authentication can help detect if unauthorized access is possible.
For example, you can use HTTP client commands like curl to attempt accessing CGI scripts under the script_alias URL prefix without credentials and observe if access is granted (HTTP 200) or denied (HTTP 401).
- curl -i http://yourserver/script_alias_path/cgi_script
- curl -i -u validuser:validpassword http://yourserver/script_alias_path/cgi_script
- curl -i -u invaliduser:invalidpassword http://yourserver/script_alias_path/cgi_script
If the first command returns HTTP 200 without authentication, it indicates the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Move CGI scripts inside the DocumentRoot and use Alias instead of ScriptAlias to ensure mod_auth correctly applies directory-based access controls.
- Apply URL-based access controls at a reverse proxy to block unauthenticated access to ScriptAlias URL prefixes.
- Remove mod_cgi from the HTTP server modules if CGI functionality is not required.
Additionally, upgrading to patched versions of Erlang OTP and inets modules where this vulnerability is fixed is recommended.