CVE-2026-28808: CWE-863 Incorrect Authorization in Erlang OTP
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.
AI Analysis
Technical Summary
This vulnerability arises because mod_auth evaluates directory access controls against the DocumentRoot-relative path, while mod_cgi executes scripts based on the ScriptAlias-resolved path. When script_alias maps a URL prefix to a directory outside DocumentRoot, this path mismatch allows bypassing directory-based authorization rules, enabling unauthenticated users to access CGI scripts that should be protected. The issue affects Erlang OTP versions 17.0 through 28.4.2 and corresponding inets module versions. The affected files include mod_alias.erl, mod_auth.erl, and mod_cgi.erl within the inets HTTP server implementation.
Potential Impact
An attacker can gain unauthorized access to CGI scripts that are intended to be protected by directory-based access controls. This could lead to unauthorized execution of scripts, potentially exposing sensitive information or enabling further attacks. The vulnerability does not require user interaction or privileges and has a high severity rating (CVSS 8.3). No known exploits have been reported in the wild so far.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary workaround is currently documented, users should monitor Erlang's official channels for updates. Until a fix is available, consider restricting access to CGI scripts served via script_alias through external means such as network-level controls or web server frontends that enforce proper authorization.
CVE-2026-28808: CWE-863 Incorrect Authorization in Erlang OTP
Description
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises because mod_auth evaluates directory access controls against the DocumentRoot-relative path, while mod_cgi executes scripts based on the ScriptAlias-resolved path. When script_alias maps a URL prefix to a directory outside DocumentRoot, this path mismatch allows bypassing directory-based authorization rules, enabling unauthenticated users to access CGI scripts that should be protected. The issue affects Erlang OTP versions 17.0 through 28.4.2 and corresponding inets module versions. The affected files include mod_alias.erl, mod_auth.erl, and mod_cgi.erl within the inets HTTP server implementation.
Potential Impact
An attacker can gain unauthorized access to CGI scripts that are intended to be protected by directory-based access controls. This could lead to unauthorized execution of scripts, potentially exposing sensitive information or enabling further attacks. The vulnerability does not require user interaction or privileges and has a high severity rating (CVSS 8.3). No known exploits have been reported in the wild so far.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary workaround is currently documented, users should monitor Erlang's official channels for updates. Until a fix is available, consider restricting access to CGI scripts served via script_alias through external means such as network-level controls or web server frontends that enforce proper authorization.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-03-03T14:40:00.590Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d4fc92aaed68159a20604c
Added to database: 4/7/2026, 12:46:10 PM
Last enriched: 4/7/2026, 1:01:30 PM
Last updated: 4/7/2026, 1:49:04 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.