CVE-2026-28808

Summary

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.

When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.

This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.

This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.

Affected Software

VendorProductVersion RangeStatus
ErlangOTP5.10 < *affected
ErlangOTP17.0 < *affected
ErlangOTP07b8f441ca711f9812fad9e9115bab3c3aa92f79 < *affected

Weaknesses

  • CWE-863: CWE-863 Incorrect Authorization

Workarounds

  • Move CGI scripts inside DocumentRoot and use alias instead of script_alias to ensure mod_auth resolves the correct path.
  • Apply URL-based access controls at a reverse proxy layer to block unauthenticated access to the script_alias URL prefix.
  • Remove mod_cgi from the httpd modules chain if CGI functionality is not required.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

erlang/otp: inets: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization

Additional References

References