CVE-2026-21620: Erlang OTP TFTP Path Traversal Flaw

CVE-2026-21620 Overview

CVE-2026-21620 is a Relative Path Traversal vulnerability affecting the TFTP file handling modules in Erlang/OTP. The vulnerability exists in the tftp_file.erl module across multiple Erlang/OTP components including the core erlang/otp, inets, and tftp packages. An authenticated attacker with network access can exploit improper path validation to traverse directories and potentially access or modify files outside the intended TFTP root directory.

Critical Impact

Authenticated attackers can leverage path traversal sequences to escape the TFTP server's configured root directory, potentially reading sensitive configuration files or overwriting critical system files depending on the TFTP server's file system permissions.

Affected Products

• Erlang/OTP versions from 17.0 (including commit 07b8f441ca711f9812fad9e9115bab3c3aa92f79)
• Erlang/OTP inets application versions from 5.10 before 7.0
• Erlang/OTP tftp application versions from 1.0

Discovery Timeline

• 2026-02-20 - CVE-2026-21620 published to NVD
• 2026-02-20 - Last updated in NVD database

Technical Details for CVE-2026-21620

Vulnerability Analysis

This vulnerability stems from insufficient path validation in the TFTP file handling implementation within Erlang/OTP. The affected files lib/tftp/src/tftp_file.erl and src/tftp_file.erl fail to properly sanitize file path inputs, allowing relative path traversal sequences (such as ../) to escape the intended directory scope.

The vulnerability is classified under CWE-23 (Relative Path Traversal), which describes scenarios where user-controlled input containing path traversal sequences is not properly neutralized before being used in file system operations. While the vulnerability requires authentication and network access, successful exploitation could allow an attacker to read or write files outside the designated TFTP root directory.

Root Cause

The root cause lies in improper isolation and compartmentalization within the tftp_file modules. The TFTP implementation does not adequately validate or canonicalize file paths before performing file operations. When processing TFTP read or write requests, the module accepts relative path components without stripping or blocking directory traversal sequences, allowing attackers to reference files in parent directories outside the TFTP server's intended scope.

Attack Vector

The attack vector is network-based, requiring an authenticated user to submit specially crafted TFTP requests containing relative path traversal sequences. The attacker must have valid credentials to interact with the TFTP service but can then leverage the path traversal vulnerability to access files beyond the configured root directory. This attack requires specific preconditions to be present (AT:P in CVSS 4.0), limiting the exploitability in certain configurations.

The security patches address this issue by implementing proper path validation. Below are excerpts from the official patches:

 ## Overwiew
 
 This is a complete implementation of the following IETF standards:
-    RFC 1350, The TFTP Protocol (revision 2).
-    RFC 2347, TFTP Option Extension.
-    RFC 2348, TFTP Blocksize Option.
-    RFC 2349, TFTP Timeout Interval and Transfer Size Options.
+
+* [RFC 1350][], The TFTP Protocol (revision 2).
+* [RFC 2347][], TFTP Option Extension.
+* [RFC 2348][], TFTP Blocksize Option.
+* [RFC 2349][], TFTP Timeout Interval and Transfer Size Options.
 
 The only feature that not is implemented in this release is
 the "netascii" transfer mode.

Source: GitHub Commit Update

Detection Methods for CVE-2026-21620

Indicators of Compromise

• TFTP requests containing path traversal sequences such as ../ or ..%2f in file paths
• Unusual file access patterns in TFTP server logs showing attempts to access system directories
• TFTP read/write operations targeting files outside the configured TFTP root directory

Detection Strategies

• Monitor TFTP server logs for requests containing encoded or plaintext directory traversal patterns
• Implement network intrusion detection rules to flag TFTP packets with suspicious file path patterns
• Deploy file integrity monitoring on sensitive directories that should not be accessible via TFTP

Monitoring Recommendations

• Enable verbose logging on TFTP servers to capture full request paths for forensic analysis
• Set up alerts for any TFTP file operations that resolve to paths outside the expected root directory
• Review TFTP server configurations to ensure the service is running with minimal required privileges

How to Mitigate CVE-2026-21620

Immediate Actions Required

• Upgrade Erlang/OTP to a patched version that addresses CVE-2026-21620 (tracked as OTP-19981)
• Review TFTP server configurations and restrict file system permissions to limit potential damage
• Consider disabling TFTP services if not required for operations until patching is complete

Patch Information

Erlang/OTP has released security patches addressing this path traversal vulnerability. The fix is tracked under issue OTP-19981 and has been merged into maintenance branches for OTP versions 26, 27, and 28. Patches are available via the following commits:

• Patch for maint-26
• Patch for maint-27
• Patch for maint-28

The complete fix details and discussion are available in the GitHub Pull Request and the GitHub Security Advisory.

Workarounds

• Configure the TFTP server to run in a chroot environment or container to limit file system access
• Implement network-level access controls to restrict TFTP service access to trusted IP addresses only
• Use a firewall to limit TFTP port (UDP 69) access to authorized clients

# Example: Restrict TFTP access using iptables
iptables -A INPUT -p udp --dport 69 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 69 -j DROP