CVE-2026-28808

EUVD-2026-19602
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.

When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.

This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.

This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Affected Products (NVD)
VendorProductVersion
erlangerlang\/inets
5.10 ≤
𝑥
< 9.1.0.6
erlangerlang\/inets
9.2 <
𝑥
< 9.3.2.4
erlangerlang\/inets
9.4 <
𝑥
< 9.6.2
erlangerlang\/otp
17.0 ≤
𝑥
< 26.2.5.19
erlangerlang\/otp
27.0 ≤
𝑥
< 27.3.4.10
erlangerlang\/otp
28.0 ≤
𝑥
< 28.4.2
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
erlang
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
trusty
needs-triage
xenial
needs-triage
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
erlang
suse enterprise sap 15 SP4
23.3.4.19-150300.3.32.1
fixed
suse enterprise sap 15 SP5
23.3.4.19-150300.3.32.1
fixed
suse enterprise sap 15 SP7
23.3.4.19-150300.3.32.1
fixed
suse enterprise server 15 SP4
23.3.4.19-150300.3.32.1
fixed
suse enterprise server 15 SP5
23.3.4.19-150300.3.32.1
fixed
suse enterprise server 15 SP6
23.3.4.19-150300.3.32.1
fixed
suse enterprise server 15 SP7
23.3.4.19-150300.3.32.1
fixed
erlang-epmd
suse enterprise sap 15 SP4
23.3.4.19-150300.3.32.1
fixed
suse enterprise sap 15 SP5
23.3.4.19-150300.3.32.1
fixed
suse enterprise sap 15 SP7
23.3.4.19-150300.3.32.1
fixed
suse enterprise server 15 SP4
23.3.4.19-150300.3.32.1
fixed
suse enterprise server 15 SP5
23.3.4.19-150300.3.32.1
fixed
suse enterprise server 15 SP6
23.3.4.19-150300.3.32.1
fixed
suse enterprise server 15 SP7
23.3.4.19-150300.3.32.1
fixed
erlang26
suse enterprise sap 15 SP7
26.2.1-150300.7.25.1
fixed
suse enterprise server 15 SP6
26.2.1-150300.7.25.1
fixed
suse enterprise server 15 SP7
26.2.1-150300.7.25.1
fixed
erlang26-epmd
suse enterprise sap 15 SP7
26.2.1-150300.7.25.1
fixed
suse enterprise server 15 SP6
26.2.1-150300.7.25.1
fixed
suse enterprise server 15 SP7
26.2.1-150300.7.25.1
fixed
Common Weakness Enumeration
References
https://cna.erlef.org/cves/CVE-2026-28808.html
https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688
https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c
https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f
https://osv.dev/vulnerability/EEF-CVE-2026-28808
https://www.erlang.org/doc/system/versions.html#order-of-versions