9.8

CVE-2026-28808

ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.

When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.

This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.

This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.53% 0.407
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6b3ad84c-e1a6-4bf7-a703-f496b71e49db 8.3 0 0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.4 2.2 5.2
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://www.erlang.org/doc/system/versions.html#order-of-versions
Product
https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f
Third Party Advisory
https://cna.erlef.org/cves/CVE-2026-28808.html
Vendor Advisory
Mitigation
https://osv.dev/vulnerability/EEF-CVE-2026-28808
Patch
Third Party Advisory
https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688
Patch
https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c
Patch
https://access.redhat.com/security/cve/CVE-2026-28808
https://bugzilla.redhat.com/show_bug.cgi?id=2455909
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-28808.json