CVE-2026-28808: CWE-863 Incorrect Authorization in Erlang OTP
CVE-2026-28808 is an incorrect authorization vulnerability in the Erlang OTP inets modules affecting versions from OTP 17. 0 through OTP 28. 4. 2 and related inets versions. The flaw arises when script_alias maps a URL prefix to a directory outside DocumentRoot, causing a mismatch between how mod_auth and mod_cgi evaluate access controls. This mismatch allows unauthenticated users to access CGI scripts that directory rules intended to protect. The vulnerability has a high severity with a CVSS 4. 0 score of 8. 3. No official patch or remediation guidance is currently available from the vendor.
AI Analysis
Technical Summary
This vulnerability in Erlang OTP's inets HTTP server modules involves incorrect authorization due to inconsistent path evaluation between mod_auth and mod_cgi when script_alias is used to map URLs outside the DocumentRoot. Specifically, mod_auth checks access controls against the DocumentRoot-relative path, while mod_cgi executes scripts based on the ScriptAlias-resolved path. This discrepancy enables unauthenticated access to CGI scripts that should be protected by directory-based access controls. The issue affects OTP versions 17.0 through 28.4.2 and corresponding inets versions. The affected source files include mod_alias.erl, mod_auth.erl, and mod_cgi.erl.
Potential Impact
The vulnerability allows unauthenticated attackers to bypass directory-based access controls and execute CGI scripts that were intended to be protected. This could lead to unauthorized execution of server-side scripts, potentially exposing sensitive information or enabling further attacks. The CVSS 4.0 score of 8.3 reflects a high severity impact with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided, users should monitor Erlang OTP vendor advisories for updates. Until a fix is available, consider avoiding configurations that use script_alias to map URLs outside DocumentRoot or implement additional access controls at other layers to restrict unauthorized access to CGI scripts.
CVE-2026-28808: CWE-863 Incorrect Authorization in Erlang OTP
Description
CVE-2026-28808 is an incorrect authorization vulnerability in the Erlang OTP inets modules affecting versions from OTP 17. 0 through OTP 28. 4. 2 and related inets versions. The flaw arises when script_alias maps a URL prefix to a directory outside DocumentRoot, causing a mismatch between how mod_auth and mod_cgi evaluate access controls. This mismatch allows unauthenticated users to access CGI scripts that directory rules intended to protect. The vulnerability has a high severity with a CVSS 4. 0 score of 8. 3. No official patch or remediation guidance is currently available from the vendor.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Erlang OTP's inets HTTP server modules involves incorrect authorization due to inconsistent path evaluation between mod_auth and mod_cgi when script_alias is used to map URLs outside the DocumentRoot. Specifically, mod_auth checks access controls against the DocumentRoot-relative path, while mod_cgi executes scripts based on the ScriptAlias-resolved path. This discrepancy enables unauthenticated access to CGI scripts that should be protected by directory-based access controls. The issue affects OTP versions 17.0 through 28.4.2 and corresponding inets versions. The affected source files include mod_alias.erl, mod_auth.erl, and mod_cgi.erl.
Potential Impact
The vulnerability allows unauthenticated attackers to bypass directory-based access controls and execute CGI scripts that were intended to be protected. This could lead to unauthorized execution of server-side scripts, potentially exposing sensitive information or enabling further attacks. The CVSS 4.0 score of 8.3 reflects a high severity impact with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided, users should monitor Erlang OTP vendor advisories for updates. Until a fix is available, consider avoiding configurations that use script_alias to map URLs outside DocumentRoot or implement additional access controls at other layers to restrict unauthorized access to CGI scripts.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-03-03T14:40:00.590Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d4fc92aaed68159a20604c
Added to database: 4/7/2026, 12:46:10 PM
Last enriched: 4/14/2026, 4:04:12 PM
Last updated: 5/22/2026, 1:25:36 PM
Views: 73
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.