CVE-2026-28808
Description
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.
When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.
This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.
This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.
Affected products
2Patches
28fc71ac6af4f9dfa0c51eac9Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688nvdPatch
- github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7cnvdPatch
- cna.erlef.org/cves/CVE-2026-28808.htmlnvdVendor AdvisoryMitigation
- github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3fnvdThird Party Advisory
- osv.dev/vulnerability/EEF-CVE-2026-28808nvdThird Party AdvisoryPatch
- www.erlang.org/doc/system/versions.htmlnvdProduct
News mentions
0No linked articles in our index yet.