CVE-2026-28808

April 7, 2026, 1:20 p.m.

8.3
High

Description

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.

Product(s) Impacted

Vendor Product Versions
Erlang
  • Otp
  • Inets
  • 17.0-28.4.2, 26.2.5.19, 27.3.4.10
  • 5.10-9.6.2, 9.3.2.4, 9.1.0.6

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a erlang otp 17.0-28.4.2 / / / / / / /
a erlang inets 5.10-9.6.2 / / / / / / /
a erlang inets 9.3.2.4 / / / / / / /
a erlang inets 9.1.0.6 / / / / / / /
a erlang otp 26.2.5.19 / / / / / / /
a erlang otp 27.3.4.10 / / / / / / /

References

https://cna.erlef.org/cves/CVE-2026-28808.html
https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688
https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c
https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f
https://osv.dev/vulnerability/EEF-CVE-2026-28808
https://www.erlang.org/doc/system/versions.html#order-of-versions

Tags

CWE-863
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
2026-04-07
CVE-2026-28808

CVSS Score

8.3 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: PRESENT
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: LOW
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: April 7, 2026, 1:16 p.m.
Last Modified: April 7, 2026, 1:20 p.m.

Status : Undergoing Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

6b3ad84c-e1a6-4bf7-a703-f496b71e49db

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.