CVE-2026-21620 is a relative path traversal vulnerability classified under CWE-23, found in the Erlang OTP project's TFTP file modules (specifically in lib/tftp/src/tftp_file.erl and src/tftp_file.erl). This vulnerability affects Erlang OTP versions starting from 17.0, including earlier versions such as 5.10 before 7.0 and 1.0, indicating a long-standing issue across multiple releases. The flaw arises due to improper isolation or compartmentalization in handling file paths within the TFTP server implementation, allowing an attacker to craft malicious file path inputs that traverse directories outside the intended file system boundaries. This can lead to unauthorized reading of files outside the designated TFTP root directory. The vulnerability requires network access (AV:N) and low attack complexity (AC:L), but it does require privileges (PR:L) and does not require user interaction (UI:N). The impact on confidentiality and integrity is low, with no impact on availability. The CVSS 4.0 base score is 2.3, reflecting the limited scope and impact. No known exploits have been reported in the wild, and no official patches have been linked yet, though it is expected that the Erlang OTP maintainers will address this in future releases.

The primary impact of CVE-2026-21620 is unauthorized access to files outside the intended TFTP directory, which could lead to disclosure of sensitive information or unauthorized modification if the attacker can write files. However, since the vulnerability requires some level of privileges and does not allow remote code execution or denial of service, the overall risk is limited. Organizations running Erlang OTP TFTP services could face confidentiality breaches if attackers exploit this flaw to access configuration files, credentials, or other sensitive data stored on the server. The impact is more significant in environments where Erlang OTP TFTP servers are exposed to untrusted networks or where privilege separation is weak. Since no known exploits exist yet, the immediate risk is low, but the vulnerability should be addressed proactively to prevent future exploitation.

To mitigate CVE-2026-21620, organizations should first verify if their Erlang OTP deployments use the affected TFTP modules and versions. Restrict network access to TFTP services to trusted hosts only, using firewall rules or network segmentation. Implement strict privilege separation and run TFTP services with the least privileges necessary to limit the impact of potential exploitation. Monitor Erlang OTP project updates closely and apply patches promptly once available. In the interim, consider disabling the TFTP service if it is not essential. Additionally, validate and sanitize all file path inputs in custom implementations or wrappers around the TFTP modules to prevent path traversal. Employ file system access controls to restrict the TFTP server's file system permissions, ensuring it cannot access sensitive directories outside its root path.