Skip to main content

Otp EUVDEUVD-2026-19602

| CVE-2026-28808 HIGH
Incorrect Authorization (CWE-863)
2026-04-07 EEF
8.3
CVSS 4.0 · Vendor: EEF
Share

Severity by source

Vendor (EEF) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
7.4 HIGH
qualitative

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 23, 2026 - 17:57 vuln.today
cvss_changed
EUVD ID Assigned
Apr 07, 2026 - 12:45 euvd
EUVD-2026-19602
Analysis Generated
Apr 07, 2026 - 12:45 vuln.today
Patch released
Apr 07, 2026 - 12:45 nvd
Patch available
CVE Published
Apr 07, 2026 - 12:28 nvd
HIGH 8.3

DescriptionCVE.org

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.

When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.

This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.

This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.

AnalysisAI

Authorization bypass in Erlang OTP's inets HTTP server allows unanauthenticated remote attackers to execute CGI scripts protected by directory-level access controls. The vulnerability stems from a path mismatch where mod_auth validates access against DocumentRoot-relative paths while mod_cgi executes scripts at ScriptAlias-resolved paths outside DocumentRoot. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Request CGI script via ScriptAlias URL
Delivery
mod_auth checks DocumentRoot-relative path
Exploit
mod_cgi executes script at ScriptAlias location
Execution
Bypass directory access controls
Impact
Access protected CGI script unauthenticated

Vulnerability AssessmentAI

Exploitation Erlang OTP inets HTTP server with script_alias directive mapping URL prefix to directory outside DocumentRoot, combined with mod_auth directory-based access controls on the mapped directory. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This vulnerability presents elevated risk in specific deployment scenarios. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an Erlang-based web application using the inets HTTP server with CGI capabilities exposed through ScriptAlias directives. The server configuration protects administrative CGI scripts in /var/www/admin-scripts/ using directory-based authentication rules, but a ScriptAlias directive maps the /admin/ URL path to this directory outside DocumentRoot. …
Remediation Upgrade Erlang OTP to patched versions: 28.4.2 or later for OTP 28.x series, 27.3.4.10 or later for OTP 27.x series, or 26.2.5.19 or later for OTP 26.x series. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Erlang OTP deployments to identify versions 17.0-28.4.1 and confirm presence of both mod_auth and mod_cgi with ScriptAlias directives. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Otp

View all
CVE-2026-49759 HIGH
8.8 Jun 10

Denial of service in Erlang/OTP erts (inet_drv SCTP handler) lets unauthenticated remote attackers crash the BEAM VM by

CVE-2026-55950 HIGH
8.7 Jul 02

Remote denial of service in Erlang/OTP's ssl application (dtls_packet_demux module) lets an unauthenticated attacker cra

CVE-2026-55952 HIGH
8.2 Jul 02

Denial of service in the Erlang/OTP ssl application (OTP 22.2 through 29.0.3, and the 28.5.x/27.3.x maintenance branches

CVE-2026-32144 HIGH
7.6 Apr 07

Erlang OTP public_key module (versions 1.16 through 1.20.3 and 1.17.1.2) fails to cryptographically verify OCSP responde

CVE-2026-48860 HIGH
7.5 Jun 10

Authentication bypass in Erlang/OTP's TLS distribution module (inet_tls_dist) lets any attacker holding a TLS certificat

CVE-2026-48856 HIGH
7.1 Jun 10

Credential leakage in Erlang/OTP's inets httpc client (versions 17.0 through 29.0.2, 28.5.0.2, and 27.3.4.13) allows att

CVE-2026-49760 MEDIUM
6.9 Jun 10

Stack-based buffer overflow in Erlang OTP's erl_interface C library (`ei_s_print_term`) crashes processes when decoding

CVE-2026-48859 MEDIUM
6.3 Jun 10

Username enumeration via timing side-channel in Erlang/OTP SSH daemon (OTP 29.0-29.0.1) allows unauthenticated remote at

CVE-2026-28810 MEDIUM
6.3 Apr 07

Erlang/OTP kernel inet_res DNS resolver uses predictable sequential transaction IDs and lacks source port randomization,

CVE-2026-48858 MEDIUM
6.3 Jun 10

SSRF and FTP bounce attacks are enabled in Erlang/OTP's ftp_internal module because the PASV handler blindly trusts the

CVE-2026-54891 MEDIUM
6.3 Jul 02

Blind plaintext injection into Erlang/OTP TLS clients allows a network-positioned attacker to insert unauthenticated APP

CVE-2026-54887 MEDIUM
6.3 Jul 02

The DTLS server in Erlang/OTP ssl initializes its cookie secret to a hardcoded empty binary on startup, making HMAC-base

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

EUVD-2026-19602 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy