CVE-2026-28808 - Vulnerability Details

- ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)

Description

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.

When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.

This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.

This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.

Published: 2026-04-07

Score: 8.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability stems from a mismatch between how the authentication module evaluates directory-based rules and how the CGI module resolves script paths when a ScriptAlias is defined. When a URL prefix is mapped outside the DocumentRoot, the authentication module checks access controls against the DocumentRoot‑relative path while the CGI module executes the script at the actual ScriptAlias‑resolved location. This confusion allows unauthenticated users to invoke CGI scripts that were intended to be protected, resulting in unauthorized execution of those scripts.

Affected Systems

The Erlang/OTP runtime, specifically the inets HTTP server module, is affected. Versions from OTP 17.0 through OTP 28.4.2, including the 27.3.4.10 and 26.2.5.19 snapshots, cover inets components 5.10 through 9.6.2, 9.3.2.4, and 9.1.0.6. Any installation that uses ScriptAlias to expose CGI scripts is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 8.3 the flaw is classified as high severity. The EPSS score is not available and it is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP request to a URL under a ScriptAlias prefix, which the CGI module will execute regardless of directory rules. Exploitation requires only that a CGI script exists outside the DocumentRoot; the attacker can trigger its execution without authentication. The complexity of the attack is low and the impact is potential unauthorized execution of scripts, which could compromise the server if those scripts perform sensitive operations. Given these factors, the vulnerability poses a significant risk to affected systems.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Erlang

OTP

affected

Version	Status	Constraints
`5.10`	affected	< *

Erlang

OTP

affected

Version	Status	Constraints
`17.0`	affected	< *
`07b8f441ca711f9812fad9e9115bab3c3aa92f79`	affected	< *

Configuration 1 [-]

OR	cpe:2.3:a:erlang:erlang\/inets::::::::
	cpe:2.3:a:erlang:erlang\/inets::::::::
	cpe:2.3:a:erlang:erlang\/inets::::::::
	cpe:2.3:a:erlang:erlang\/otp::::::::
	cpe:2.3:a:erlang:erlang\/otp::::::::
	cpe:2.3:a:erlang:erlang\/otp::::::::

No data.

Vendor Product Confidence Versions

Erlang

Erlang/otp

95%

Version	Status	Scheme	Platform
`[5.10,*]`	affected	generic	—
`9.6.2`	unaffected	semver	—
`9.3.2.4`	unaffected	generic	—
`9.1.0.6`	unaffected	generic	—

Erlang

Erlang/otp

95%

Version	Status	Scheme	Platform
`[17.0,*]`	affected	generic	—
`28.4.2`	unaffected	semver	—
`27.3.4.10`	unaffected	generic	—
`26.2.5.19`	unaffected	generic	—
`[07b8f441ca711f9812fad9e9115bab3c3aa92f79,*]`	affected	code_commit	—
`8fc71ac6af4fbcc54103bec2983ef22e82942688`	unaffected	code_commit	—
`9dfa0c51eac97866078e808dec2183cb7871ff7c`	unaffected	code_commit	—

Erlang

Otp

—

Version	Status	Scheme	Platform
`[5.10,*]`	affected	generic	—
`9.6.2`	unaffected	semver	—
`9.3.2.4`	unaffected	generic	—
`9.1.0.6`	unaffected	generic	—

Erlang

Otp

—

Version	Status	Scheme	Platform
`[17.0,*]`	affected	generic	—
`28.4.2`	unaffected	semver	—
`27.3.4.10`	unaffected	generic	—
`26.2.5.19`	unaffected	generic	—
`[07b8f441ca711f9812fad9e9115bab3c3aa92f79,*]`	affected	code_commit	—
`8fc71ac6af4fbcc54103bec2983ef22e82942688`	unaffected	code_commit	—
`9dfa0c51eac97866078e808dec2183cb7871ff7c`	unaffected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

* Move CGI scripts inside DocumentRoot and use alias instead of script_alias to ensure mod_auth resolves the correct path. * Apply URL-based access controls at a reverse proxy layer to block unauthenticated access to the script_alias URL prefix. * Remove mod_cgi from the httpd modules chain if CGI functionality is not required.

OpenCVE Recommended Actions

Upgrade Erlang OTP to a version newer than 28.4.2 to apply the vendor fix
Move CGI scripts inside the DocumentRoot and use alias instead of ScriptAlias to ensure the authentication module checks the correct path
Apply URL‑based access controls at a reverse proxy layer to block unauthenticated access to the ScriptAlias URL prefix
If CGI functionality is not required, remove the mod_cgi module from the httpd modules chain
Check the Erlang vendor website for further updates and patches

Generated by OpenCVE AI on April 8, 2026 at 02:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://cna.erlef.org/cves/CVE-2026-28808.html
https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688
https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c
https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f
https://nvd.nist.gov/vuln/detail/CVE-2026-28808
https://osv.dev/vulnerability/EEF-CVE-2026-28808
https://www.cve.org/CVERecord?id=CVE-2026-28808
https://www.erlang.org/doc/system/versions.html#order-of-versions

History

Thu, 23 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Erlang erlang\/inets
CPEs		cpe:2.3:a:erlang:erlang\/inets::::::::
Vendors & Products		Erlang erlang\/inets
Metrics	cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}`	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Erlang erlang/otp Erlang otp
Vendors & Products		Erlang erlang/otp Erlang otp

Wed, 08 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-551
References		https://nvd.nist.gov/vuln/detail/CVE-2026-28808 https://www.cve.org/CVERecord?id=CVE-2026-28808
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}` threat_severity `Important`

Tue, 07 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.
Title		ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)
First Time appeared		Erlang Erlang erlang\/otp
Weaknesses		CWE-863
CPEs		cpe:2.3:a:erlang:erlang\/otp::::::::
Vendors & Products		Erlang Erlang erlang\/otp
References		https://cna.erlef.org/cves/CVE-2026-28808.html https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688 https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f https://osv.dev/vulnerability/EEF-CVE-2026-28808 https://www.erlang.org/doc/system/versions.html#order-of-versions
Metrics		cvssV4_0 `{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Erlang Erlang/otp Erlang\/inets Erlang\/otp Otp

MITRE

Status: PUBLISHED

Assigner: EEF

Published: 2026-04-07T12:28:16.056Z

Updated: 2026-04-07T14:38:09.190Z

Reserved: 2026-03-03T14:40:00.590Z

Link: CVE-2026-28808

Vulnrichment

Updated: 2026-04-07T13:14:12.725Z

NVD

Status : Analyzed

Published: 2026-04-07T13:16:46.320

Modified: 2026-04-23T17:39:58.737

Link: CVE-2026-28808

Redhat

Severity : Important

Publid Date: 2026-04-07T12:28:16Z

Links: CVE-2026-28808 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-08T19:49:42Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object