CVE-2026-21620 identifies a relative path traversal vulnerability classified under CWE-23 in the Erlang Open Telecom Platform (OTP), specifically within the TFTP file handling modules (tftp_file.erl). The vulnerability exists in versions from 1.0 through 17.0, including specific commits such as 07b8f441ca711f9812fad9e9115bab3c3aa92f79. The flaw allows an attacker to craft malicious file path inputs that traverse directories beyond the intended root, potentially accessing or manipulating files outside the designated TFTP directory. This improper isolation or compartmentalization arises from insufficient validation of file path inputs in the TFTP server implementation. Exploitation requires network access and low-level privileges with authentication but does not require user interaction. The vulnerability has a CVSS 4.0 base score of 2.3, indicating low severity due to limited impact on confidentiality, integrity, and availability, and the requirement for authentication. No public exploits or active exploitation have been reported. The vulnerability affects the core Erlang OTP platform, widely used in telecommunications, distributed systems, and backend services, especially where TFTP is enabled for file transfers. The lack of patch links suggests that fixes may be pending or integrated in future OTP releases. Organizations relying on Erlang OTP's TFTP services should assess exposure and implement compensating controls.

The primary impact of CVE-2026-21620 is unauthorized file access outside the intended TFTP directory, which could lead to information disclosure or unauthorized modification of files if exploited. However, the requirement for authentication and low privileges limits the attacker's capabilities, reducing the overall risk. The vulnerability does not directly enable remote code execution or denial of service, and no known exploits exist in the wild, further mitigating immediate threat levels. Organizations using Erlang OTP in networked environments with TFTP enabled may face risks of sensitive file exposure or integrity compromise if attackers gain authenticated access. This could affect telecommunications providers, cloud services, and software platforms relying on Erlang OTP for backend operations. While the impact is limited, failure to address this vulnerability could serve as a foothold for further attacks or lateral movement within a network.

1. Restrict TFTP service access to trusted networks and authenticated users only, minimizing exposure to untrusted actors. 2. Implement strict input validation and sanitization for file path parameters in TFTP modules to prevent traversal sequences such as '../'. 3. Enforce least privilege file system permissions on TFTP directories to limit file access scope even if traversal occurs. 4. Monitor Erlang OTP updates and apply patches promptly once available to address this vulnerability. 5. Consider disabling TFTP services if not required or replacing with more secure file transfer protocols. 6. Conduct regular security audits and penetration testing focusing on file transfer services to detect similar vulnerabilities. 7. Employ network segmentation and intrusion detection systems to detect anomalous TFTP activities. 8. Review authentication mechanisms to ensure they are robust and cannot be bypassed to exploit this vulnerability.