Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-28808

CVE-2026-28808: Erlang OTP Auth Bypass Vulnerability

CVE-2026-28808 is an authentication bypass vulnerability in Erlang OTP inets modules that allows unauthenticated access to protected CGI scripts via script_alias path mismatches. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-28808 Overview

CVE-2026-28808 is an Incorrect Authorization vulnerability affecting Erlang OTP's inets modules that allows unauthenticated access to CGI scripts that should be protected by directory-based access control rules. The vulnerability arises from a path mismatch between how mod_auth evaluates access controls and how mod_cgi resolves script paths when using script_alias configurations.

When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This architectural inconsistency allows attackers to bypass authentication mechanisms and access protected CGI scripts without proper credentials.

Critical Impact

Unauthenticated remote attackers can bypass directory-based authentication to access protected CGI scripts, potentially exposing sensitive functionality or data processed by these scripts.

Affected Products

  • Erlang OTP versions 17.0 through 28.4.1 (before 28.4.2)
  • Erlang OTP versions 27.x through 27.3.4.9 (before 27.3.4.10)
  • Erlang OTP versions 26.x through 26.2.5.18 (before 26.2.5.19)
  • Erlang inets module versions 5.10 through 9.6.1 (before 9.6.2)
  • Erlang inets module versions 9.3.x through 9.3.2.3 (before 9.3.2.4)
  • Erlang inets module versions 9.1.x through 9.1.0.5 (before 9.1.0.6)

Discovery Timeline

  • April 7, 2026 - CVE-2026-28808 published to NVD
  • April 7, 2026 - Last updated in NVD database

Technical Details for CVE-2026-28808

Vulnerability Analysis

This vulnerability is classified as CWE-863 (Incorrect Authorization) and affects the HTTP server component within Erlang OTP's inets library. The root cause lies in the interaction between three modules: mod_alias.erl, mod_auth.erl, and mod_cgi.erl.

The vulnerability allows network-based attackers to bypass authentication controls without requiring user interaction or special privileges. The flaw enables high confidentiality impact through unauthorized access to protected resources, though the integrity and availability impacts are more limited.

The authorization bypass occurs during request processing when script_alias directives are configured. The mod_auth module performs path-based access control checks using a path relative to DocumentRoot, while mod_cgi independently resolves the actual script location using the ScriptAlias mapping. This creates a security gap where protection rules applied to one path do not prevent access to scripts served from another.

Root Cause

The fundamental issue stems from inconsistent path resolution between the authentication and CGI execution modules within the inets HTTP server. When administrators configure script_alias to map URL prefixes to directories outside the DocumentRoot, the path used by mod_auth for access control evaluation differs from the path used by mod_cgi for script execution.

Specifically:

  • mod_auth evaluates access rules against a DocumentRoot-relative path
  • mod_cgi resolves and executes scripts from the ScriptAlias-mapped path
  • Directory-based access controls configured for protected CGI directories are not applied because the path mismatch causes mod_auth to evaluate the wrong directory context

Attack Vector

An attacker can exploit this vulnerability by sending HTTP requests to CGI scripts served through script_alias mappings that point to directories outside DocumentRoot. Even when these scripts are protected by directory-based authentication rules (such as requiring Basic or Digest authentication), the path mismatch allows the requests to bypass these controls entirely.

The attack requires network access to the vulnerable Erlang inets HTTP server and knowledge of the CGI script endpoints. No authentication credentials are required, and the attack can be executed with standard HTTP client tools. The vulnerability enables unauthorized access to functionality that administrators intended to protect through directory-based access controls.

Detection Methods for CVE-2026-28808

Indicators of Compromise

  • Unexpected successful HTTP requests to CGI scripts in script_alias directories without proper authentication headers
  • Server logs showing access to protected CGI resources from unauthenticated sessions
  • HTTP 200 responses for CGI endpoints that should return 401 Unauthorized

Detection Strategies

  • Review HTTP server access logs for requests to script_alias-mapped CGI scripts that lack authentication headers but receive successful responses
  • Implement Web Application Firewall (WAF) rules to monitor and alert on unauthenticated access attempts to known protected CGI endpoints
  • Deploy intrusion detection signatures that identify patterns of authentication bypass attempts against Erlang inets servers

Monitoring Recommendations

  • Enable detailed access logging on Erlang inets HTTP servers, including authentication status per request
  • Monitor for anomalous access patterns to CGI scripts, particularly requests originating from unusual IP addresses or user agents
  • Implement alerting for successful CGI script executions that do not have corresponding authentication events

How to Mitigate CVE-2026-28808

Immediate Actions Required

  • Upgrade to patched Erlang OTP versions: 28.4.2, 27.3.4.10, or 26.2.5.19 (corresponding to inets versions 9.6.2, 9.3.2.4, or 9.1.0.6)
  • Review script_alias configurations and ensure protected CGI scripts have additional application-level authentication if patching is delayed
  • Consider temporarily disabling script_alias mappings until patches can be applied

Patch Information

Security patches have been released that address the path resolution inconsistency between mod_auth and mod_cgi. The fixes ensure that access control evaluations use the correct resolved path when processing requests to ScriptAlias-mapped resources.

Relevant patches are available through the following commits:

For additional details, refer to the GitHub Security Advisory GHSA-3vhp-h532-mc3f and Erlang CNA Advisory.

Workarounds

  • Relocate CGI scripts served via script_alias to directories within DocumentRoot where mod_auth path resolution aligns correctly
  • Implement application-level authentication within CGI scripts rather than relying solely on directory-based access controls
  • Use reverse proxy configurations (such as nginx or Apache) in front of Erlang inets to enforce authentication before requests reach the vulnerable server
bash
# Example: Verify your Erlang OTP version
erl -eval 'erlang:display(erlang:system_info(otp_release)), halt().'

# Check inets version
erl -eval 'application:load(inets), {ok, V} = application:get_key(inets, vsn), io:format("~s~n", [V]), halt().'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.