CVE-2026-28808

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script alias.

When script alias maps a URL prefix to a directory outside DocumentRoot, mod auth evaluates directory-based access controls against the DocumentRoot-relative path while mod cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.

This vulnerability is associated with program files lib/inets/src/http server/mod alias.erl, lib/inets/src/http server/mod auth.erl, and lib/inets/src/http server/mod cgi.erl.

This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.