216.73.216.86

CVE-2026-28808

· Published 07/04/2026 13:16 · Modified 07/04/2026 13:20

Labels: CVE-2026-28808 2026-04-076b3ad84c-e1a6-4bf7-a703-f496b71e49dbCVE-2026-28808CWE-863

Essential information

Published
07/04/2026 13:16
Modified
07/04/2026 13:20
Author
Creator
CVSS
8.3 HIGH (v3) 8.3 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.

NVD status

Status
Undergoing Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
NVD
View on NVD

Affected products (CPE)

ProductCPE
erlang / otp cpe:2.3:a:erlang:otp:17.0-28.4.2:*:*:*:*:*:*:*
erlang / inets cpe:2.3:a:erlang:inets:5.10-9.6.2:*:*:*:*:*:*:*
erlang / inets cpe:2.3:a:erlang:inets:9.3.2.4:*:*:*:*:*:*:*
erlang / inets cpe:2.3:a:erlang:inets:9.1.0.6:*:*:*:*:*:*:*
erlang / otp cpe:2.3:a:erlang:otp:26.2.5.19:*:*:*:*:*:*:*
erlang / otp cpe:2.3:a:erlang:otp:27.3.4.10:*:*:*:*:*:*:*

References