{"affected":[{"ranges":[{"events":[{"introduced":"07b8f441ca711f9812fad9e9115bab3c3aa92f79"},{"fixed":"8fc71ac6af4fbcc54103bec2983ef22e82942688"},{"fixed":"9dfa0c51eac97866078e808dec2183cb7871ff7c"}],"repo":"https://github.com/erlang/otp","type":"GIT"}]}],"aliases":["GHSA-3vhp-h532-mc3f","CVE-2026-28808"],"credits":[{"name":"Igor Morgenstern / Aisle Research","type":"REPORTER"},{"name":"Konrad Pietrzak","type":"REMEDIATION_DEVELOPER"}],"database_specific":{"capec_ids":["CAPEC-1"],"cpe_ids":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-863"]},"details":"## Summary\n\nIncorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.\n\nWhen script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.\n\nThis vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.\n\n## Workaround\n\n* Move CGI scripts inside DocumentRoot and use alias instead of script_alias to ensure mod_auth resolves the correct path.\n* Apply URL-based access controls at a reverse proxy layer to block unauthenticated access to the script_alias URL prefix.\n* Remove mod_cgi from the httpd modules chain if CGI functionality is not required.\n\n## Configuration\n\nThe inets httpd server must use script_alias to map a URL prefix to a CGI directory, combined with directory-based access controls (e.g., mod_auth) protecting the script_alias target path. The vulnerability applies whenever the script_alias target path differs from DocumentRoot + URL prefix.","id":"EEF-CVE-2026-28808","modified":"2026-04-07T14:38:09.190Z","published":"2026-04-07T12:28:16.056Z","references":[{"type":"ADVISORY","url":"https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-28808.html"},{"type":"WEB","url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"},{"type":"FIX","url":"https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688"},{"type":"FIX","url":"https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N","type":"CVSS_V4"}],"summary":"ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)","upstream":[]}