CVE-2026-28808

Name of the Vulnerable Software and Affected Versions Erlang OTP versions 17.0 through 28.4.2, 26.2.5.19, and 27.3.4.10

Description An incorrect authorization issue exists in Erlang OTP (inets modules) that allows unauthenticated access to CGI scripts protected by directory rules when served via script alias. This occurs because mod auth evaluates directory-based access controls against the DocumentRoot-relative path, while mod cgi executes scripts at the ScriptAlias-resolved path, creating a path mismatch. The affected program files are lib/inets/src/http server/mod alias.erl, lib/inets/src/http server/mod auth.erl, and lib/inets/src/http server/mod cgi.erl.

Recommendations Move CGI scripts inside DocumentRoot and use alias instead of script alias to ensure mod auth resolves the correct path. Apply URL-based access controls at a reverse proxy layer to block unauthenticated access to the script alias URL prefix. Remove mod cgi from the httpd modules chain if CGI functionality is not required.