CVE-2026-28808: ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)

Published Apr 7, 2026
·
Updated

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.

Affected Software

8 affected components
Erlang OTP>=17.0<=28.4.2, >=17.0<=27.3.4.10, >=17.0<=26.2.5.19
Erlang inets>=5.10<=9.6.2, >=5.10<=9.3.2.4, >=5.10<=9.1.0.6
Erlang Erlang\/inets>=5.10<9.1.0.6
Erlang Erlang\/inets>9.2<9.3.2.4
Erlang Erlang\/inets>9.4<9.6.2
Erlang Erlang\/otp>=17.0<26.2.5.19
Erlang Erlang\/otp>=27.0<27.3.4.10
Erlang Erlang\/otp>=28.0<28.4.2

Remediation

Patch Available

https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688

Patch Available

https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c

Patch Available

https://osv.dev/vulnerability/EEF-CVE-2026-28808

Event History

Apr 7, 2026
CVE Published
via MITRE·12:28 PM
Data Sourced
via MITRE·12:28 PM
DescriptionWeakness
Data Sourced
via NVD·01:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-28808?

CVE-2026-28808 is categorized with a medium severity due to incorrect authorization vulnerabilities allowing unauthenticated access.

2

How do I fix CVE-2026-28808?

To fix CVE-2026-28808, ensure to update affected Erlang OTP and inets software to the latest versions that address the vulnerability.

3

What versions of Erlang OTP are affected by CVE-2026-28808?

CVE-2026-28808 affects Erlang OTP versions from 17.0 to 28.4.2 inclusive.

4

What versions of Erlang inets are impacted by CVE-2026-28808?

This vulnerability affects Erlang inets versions between 5.10 and 9.6.2 inclusive, specifically those in the specified version ranges.

5

What type of vulnerability is CVE-2026-28808?

CVE-2026-28808 is an incorrect authorization vulnerability that allows access to protected CGI scripts.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203