CVE-2026-28808

| EUVD-2026-19602 HIGH
2026-04-07 EEF
8.3
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 07, 2026 - 12:45 euvd
EUVD-2026-19602
Analysis Generated
Apr 07, 2026 - 12:45 vuln.today
Patch Released
Apr 07, 2026 - 12:45 nvd
Patch available
CVE Published
Apr 07, 2026 - 12:28 nvd
HIGH 8.3

Tags

Authentication Bypass Path Traversal Otp

Description

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.

Analysis

Authorization bypass in Erlang OTP's inets HTTP server allows unanauthenticated remote attackers to execute CGI scripts protected by directory-level access controls. The vulnerability stems from a path mismatch where mod_auth validates access against DocumentRoot-relative paths while mod_cgi executes scripts at ScriptAlias-resolved paths outside DocumentRoot. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Audit all Erlang OTP deployments to identify versions 17.0-28.4.1 and confirm presence of both mod_auth and mod_cgi with ScriptAlias directives. Within 7 days: Apply vendor-released patches to upgrade affected OTP versions to 28.4.2 or later (or equivalent security releases for earlier branches). …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

42
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +42
POC: 0

Share

CVE-2026-28808 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy