Incorrect Authorization Vulnerability in Erlang OTP Affecting CGI Scripts
CVE-2026-28808

8.3HIGH

Key Information:

Vendor: Erlang
Status: Otp
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-28808?

An incorrect authorization vulnerability exists within the Erlang OTP, specifically in its inets modules. This issue allows unauthenticated users to gain access to CGI scripts that should be protected under directory rules when these scripts are served through the script_alias directive. The problem arises due to a path mismatch between the rules enforced by mod_auth and the execution path determined by mod_cgi. Consequently, sensitive CGI scripts may become accessible despite existing directory-based access controls. The affected versions of Erlang OTP range from 17.0 up to 28.4.2, as well as certain specific versions: 27.3.4.10 and 26.2.5.19, which correspond to inets versions from 5.10 up to 9.6.2, and additional versions.

Affected Version(s)

OTP 5.10

OTP 17.0

References

https://github.com/erlang/otp/security/advisories/GHSA-3v...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-28808.html

https://osv.dev/vulnerability/EEF-CVE-2026-28808

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Mar 3, 2026

Credit

Igor Morgenstern / Aisle Research

Konrad Pietrzak

CVE-2026-28808 Data

JSON