{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-28808","assignerOrgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","state":"PUBLISHED","assignerShortName":"EEF","dateReserved":"2026-03-03T14:40:00.590Z","datePublished":"2026-04-07T12:28:16.056Z","dateUpdated":"2026-07-01T04:45:33.019Z"},"containers":{"cna":{"affected":[{"cpes":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"defaultStatus":"affected","modules":["inets"],"packageName":"inets","packageURL":"pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp&vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git","product":"OTP","programFiles":["src/http_server/mod_alias.erl","src/http_server/mod_auth.erl","src/http_server/mod_cgi.erl"],"repo":"https://github.com/erlang/otp","vendor":"Erlang","versions":[{"changes":[{"at":"9.6.2","status":"unaffected"},{"at":"9.3.2.4","status":"unaffected"},{"at":"9.1.0.6","status":"unaffected"}],"lessThan":"*","status":"affected","version":"5.10","versionType":"otp"}]},{"collectionURL":"https://github.com","cpes":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"defaultStatus":"affected","modules":["inets"],"packageName":"erlang/otp","packageURL":"pkg:github/erlang/otp","product":"OTP","programFiles":["lib/inets/src/http_server/mod_alias.erl","lib/inets/src/http_server/mod_auth.erl","lib/inets/src/http_server/mod_cgi.erl"],"repo":"https://github.com/erlang/otp","vendor":"Erlang","versions":[{"changes":[{"at":"28.4.2","status":"unaffected"},{"at":"27.3.4.10","status":"unaffected"},{"at":"26.2.5.19","status":"unaffected"}],"lessThan":"*","status":"affected","version":"17.0","versionType":"otp"},{"changes":[{"at":"8fc71ac6af4fbcc54103bec2983ef22e82942688","status":"unaffected"},{"at":"9dfa0c51eac97866078e808dec2183cb7871ff7c","status":"unaffected"}],"lessThan":"*","status":"affected","version":"07b8f441ca711f9812fad9e9115bab3c3aa92f79","versionType":"git"}]}],"configurations":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The inets httpd server must use <tt>script_alias</tt> to map a URL prefix to a CGI directory, combined with <tt>directory</tt>-based access controls (e.g., <tt>mod_auth</tt>) protecting the <tt>script_alias</tt> target path. The vulnerability applies whenever the <tt>script_alias</tt> target path differs from <tt>DocumentRoot</tt> + URL prefix."}],"value":"The inets httpd server must use script_alias to map a URL prefix to a CGI directory, combined with directory-based access controls (e.g., mod_auth) protecting the script_alias target path. The vulnerability applies whenever the script_alias target path differs from DocumentRoot + URL prefix."}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","versionEndExcluding":"26.2.5.19","versionStartIncluding":"17.0","vulnerable":true},{"criteria":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","versionEndExcluding":"27.3.4.10","versionStartIncluding":"27.0","vulnerable":true},{"criteria":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","versionEndExcluding":"28.4.2","versionStartIncluding":"28.0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"AND"}],"credits":[{"lang":"en","type":"finder","value":"Igor Morgenstern / Aisle Research"},{"lang":"en","type":"remediation developer","value":"Konrad Pietrzak"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by <tt>directory</tt> rules when served via <tt>script_alias</tt>.<p>When <tt>script_alias</tt> maps a URL prefix to a directory outside <tt>DocumentRoot</tt>, <tt>mod_auth</tt> evaluates <tt>directory</tt>-based access controls against the <tt>DocumentRoot</tt>-relative path while <tt>mod_cgi</tt> executes the script at the <tt>ScriptAlias</tt>-resolved path. This path mismatch allows unauthenticated access to CGI scripts that <tt>directory</tt> rules were meant to protect.</p><p>This vulnerability is associated with program files <tt>lib/inets/src/http_server/mod_alias.erl</tt>, <tt>lib/inets/src/http_server/mod_auth.erl</tt>, and <tt>lib/inets/src/http_server/mod_cgi.erl</tt>.</p><p>This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.</p>"}],"value":"Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.\n\nWhen script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.\n\nThis vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6."}],"impacts":[{"capecId":"CAPEC-1","descriptions":[{"lang":"en","value":"CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":8.3,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-863","description":"CWE-863 Incorrect Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","shortName":"EEF","dateUpdated":"2026-07-01T04:45:33.019Z"},"references":[{"tags":["vendor-advisory","related"],"url":"https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f"},{"tags":["related"],"url":"https://cna.erlef.org/cves/CVE-2026-28808.html"},{"tags":["related"],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-28808"},{"tags":["x_version-scheme"],"url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"},{"tags":["patch"],"url":"https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688"},{"tags":["patch"],"url":"https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c"}],"source":{"discovery":"EXTERNAL"},"title":"ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<ul><li>Move CGI scripts inside <tt>DocumentRoot</tt> and use <tt>alias</tt> instead of <tt>script_alias</tt> to ensure <tt>mod_auth</tt> resolves the correct path.</li><li>Apply URL-based access controls at a reverse proxy layer to block unauthenticated access to the <tt>script_alias</tt> URL prefix.</li><li>Remove <tt>mod_cgi</tt> from the httpd modules chain if CGI functionality is not required.</li></ul>"}],"value":"* Move CGI scripts inside DocumentRoot and use alias instead of script_alias to ensure mod_auth resolves the correct path.\n* Apply URL-based access controls at a reverse proxy layer to block unauthenticated access to the script_alias URL prefix.\n* Remove mod_cgi from the httpd modules chain if CGI functionality is not required."}],"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-07T13:14:10.515632Z","id":"CVE-2026-28808","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-07T13:14:16.481Z"}},{"affected":[{"cpes":["cpe:/a:redhat:openstack:16.2"],"defaultStatus":"affected","product":"Red Hat OpenStack Platform 16.2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openstack:17.1"],"defaultStatus":"affected","product":"Red Hat OpenStack Platform 17.1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openstack:18.0"],"defaultStatus":"unaffected","product":"Red Hat OpenStack Platform 18.0","vendor":"Red Hat"}],"datePublic":"2026-04-07T12:28:16.056Z","descriptions":[{"lang":"en","value":"A flaw was found in Erlang OTP (inets modules). A remote unauthenticated attacker could exploit an incorrect authorization vulnerability when CGI (Common Gateway Interface) scripts are served via script_alias. This vulnerability arises from a path mismatch where access controls are evaluated against a different path than the script's execution path. This allows unauthorized access to CGI scripts intended to be protected by directory rules, potentially leading to information disclosure or the execution of unauthorized scripts."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-551","description":"Incorrect Behavior Order: Authorization Before Parsing and Canonicalization","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-28808"},{"name":"RHBZ#2455909","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455909"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-28808.json"}],"timeline":[{"lang":"en","time":"2026-04-07T13:01:42.326Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-07T12:28:16.056Z","value":"Made public."}],"title":"erlang/otp: inets: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:07:58.601Z"}}]}}