CVE-2026-28808 Overview
CVE-2026-28808 is an Incorrect Authorization vulnerability affecting Erlang OTP's inets modules that allows unauthenticated access to CGI scripts that should be protected by directory-based access control rules. The vulnerability arises from a path mismatch between how mod_auth evaluates access controls and how mod_cgi resolves script paths when using script_alias configurations.
When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This architectural inconsistency allows attackers to bypass authentication mechanisms and access protected CGI scripts without proper credentials.
Critical Impact
Unauthenticated remote attackers can bypass directory-based authentication to access protected CGI scripts, potentially exposing sensitive functionality or data processed by these scripts.
Affected Products
- Erlang OTP versions 17.0 through 28.4.1 (before 28.4.2)
- Erlang OTP versions 27.x through 27.3.4.9 (before 27.3.4.10)
- Erlang OTP versions 26.x through 26.2.5.18 (before 26.2.5.19)
- Erlang inets module versions 5.10 through 9.6.1 (before 9.6.2)
- Erlang inets module versions 9.3.x through 9.3.2.3 (before 9.3.2.4)
- Erlang inets module versions 9.1.x through 9.1.0.5 (before 9.1.0.6)
Discovery Timeline
- April 7, 2026 - CVE-2026-28808 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-28808
Vulnerability Analysis
This vulnerability is classified as CWE-863 (Incorrect Authorization) and affects the HTTP server component within Erlang OTP's inets library. The root cause lies in the interaction between three modules: mod_alias.erl, mod_auth.erl, and mod_cgi.erl.
The vulnerability allows network-based attackers to bypass authentication controls without requiring user interaction or special privileges. The flaw enables high confidentiality impact through unauthorized access to protected resources, though the integrity and availability impacts are more limited.
The authorization bypass occurs during request processing when script_alias directives are configured. The mod_auth module performs path-based access control checks using a path relative to DocumentRoot, while mod_cgi independently resolves the actual script location using the ScriptAlias mapping. This creates a security gap where protection rules applied to one path do not prevent access to scripts served from another.
Root Cause
The fundamental issue stems from inconsistent path resolution between the authentication and CGI execution modules within the inets HTTP server. When administrators configure script_alias to map URL prefixes to directories outside the DocumentRoot, the path used by mod_auth for access control evaluation differs from the path used by mod_cgi for script execution.
Specifically:
- mod_auth evaluates access rules against a DocumentRoot-relative path
- mod_cgi resolves and executes scripts from the ScriptAlias-mapped path
- Directory-based access controls configured for protected CGI directories are not applied because the path mismatch causes mod_auth to evaluate the wrong directory context
Attack Vector
An attacker can exploit this vulnerability by sending HTTP requests to CGI scripts served through script_alias mappings that point to directories outside DocumentRoot. Even when these scripts are protected by directory-based authentication rules (such as requiring Basic or Digest authentication), the path mismatch allows the requests to bypass these controls entirely.
The attack requires network access to the vulnerable Erlang inets HTTP server and knowledge of the CGI script endpoints. No authentication credentials are required, and the attack can be executed with standard HTTP client tools. The vulnerability enables unauthorized access to functionality that administrators intended to protect through directory-based access controls.
Detection Methods for CVE-2026-28808
Indicators of Compromise
- Unexpected successful HTTP requests to CGI scripts in script_alias directories without proper authentication headers
- Server logs showing access to protected CGI resources from unauthenticated sessions
- HTTP 200 responses for CGI endpoints that should return 401 Unauthorized
Detection Strategies
- Review HTTP server access logs for requests to script_alias-mapped CGI scripts that lack authentication headers but receive successful responses
- Implement Web Application Firewall (WAF) rules to monitor and alert on unauthenticated access attempts to known protected CGI endpoints
- Deploy intrusion detection signatures that identify patterns of authentication bypass attempts against Erlang inets servers
Monitoring Recommendations
- Enable detailed access logging on Erlang inets HTTP servers, including authentication status per request
- Monitor for anomalous access patterns to CGI scripts, particularly requests originating from unusual IP addresses or user agents
- Implement alerting for successful CGI script executions that do not have corresponding authentication events
How to Mitigate CVE-2026-28808
Immediate Actions Required
- Upgrade to patched Erlang OTP versions: 28.4.2, 27.3.4.10, or 26.2.5.19 (corresponding to inets versions 9.6.2, 9.3.2.4, or 9.1.0.6)
- Review script_alias configurations and ensure protected CGI scripts have additional application-level authentication if patching is delayed
- Consider temporarily disabling script_alias mappings until patches can be applied
Patch Information
Security patches have been released that address the path resolution inconsistency between mod_auth and mod_cgi. The fixes ensure that access control evaluations use the correct resolved path when processing requests to ScriptAlias-mapped resources.
Relevant patches are available through the following commits:
For additional details, refer to the GitHub Security Advisory GHSA-3vhp-h532-mc3f and Erlang CNA Advisory.
Workarounds
- Relocate CGI scripts served via script_alias to directories within DocumentRoot where mod_auth path resolution aligns correctly
- Implement application-level authentication within CGI scripts rather than relying solely on directory-based access controls
- Use reverse proxy configurations (such as nginx or Apache) in front of Erlang inets to enforce authentication before requests reach the vulnerable server
# Example: Verify your Erlang OTP version
erl -eval 'erlang:display(erlang:system_info(otp_release)), halt().'
# Check inets version
erl -eval 'application:load(inets), {ok, V} = application:get_key(inets, vsn), io:format("~s~n", [V]), halt().'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
