← Volver a CVEs

CVE-2026-28808

CRITICAL

9.8

Descripcion

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.

Detalles CVE

Puntuacion CVSS v3.19.8

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado4/7/2026

Ultima modificacion4/23/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

erlang:erlang\/inetserlang:erlang\/otp

Debilidades (CWE)

CWE-863

Referencias

https://cna.erlef.org/cves/CVE-2026-28808.html(6b3ad84c-e1a6-4bf7-a703-f496b71e49db)

https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688(6b3ad84c-e1a6-4bf7-a703-f496b71e49db)

https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c(6b3ad84c-e1a6-4bf7-a703-f496b71e49db)

https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f(6b3ad84c-e1a6-4bf7-a703-f496b71e49db)

https://osv.dev/vulnerability/EEF-CVE-2026-28808(6b3ad84c-e1a6-4bf7-a703-f496b71e49db)

https://www.erlang.org/doc/system/versions.html#order-of-versions(6b3ad84c-e1a6-4bf7-a703-f496b71e49db)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.