Platform
apache
Component
erlang-otp
Fixed in
*
*
*
CVE-2026-28808 describes an Incorrect Authorization vulnerability affecting Erlang/OTP versions 17.0.0 and later. This flaw allows unauthenticated access to CGI scripts protected by directory rules when served via scriptalias. The vulnerability stems from a path mismatch between how modauth and mod_cgi handle access control, potentially leading to unauthorized script execution. A fix is available, and users are urged to upgrade.
The primary impact of CVE-2026-28808 is the potential for unauthorized access to CGI scripts. An attacker could exploit this vulnerability to execute arbitrary code on the server if the CGI scripts are vulnerable themselves. This could lead to data breaches, system compromise, or denial of service. The blast radius extends to any sensitive data processed or stored by the CGI scripts, and successful exploitation could provide a foothold for lateral movement within the network if the server has access to other resources. This vulnerability shares similarities with other authorization bypass flaws where path manipulation allows circumvention of access controls.
CVE-2026-28808 was published on 2026-04-07. Severity is pending evaluation. No public Proof-of-Concept (POC) exploits are currently known. There are no indications of active campaigns targeting this vulnerability at this time. Monitor security advisories from the Erlang/OTP vendor for updates and further guidance.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-28808 is to upgrade to a patched version of Erlang/OTP as soon as it becomes available. Until an upgrade is possible, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to block requests that attempt to bypass directory access controls. Carefully review and restrict the use of script_alias, ensuring that it does not map URLs to directories outside the DocumentRoot. Regularly audit the configuration of your Erlang/OTP installation to identify and address any potential misconfigurations. After upgrade, confirm by attempting to access protected CGI scripts without authentication and verifying that access is denied.
Actualice Erlang/OTP a la versión 28.4.3 o superior para mitigar esta vulnerabilidad. La vulnerabilidad se debe a una discrepancia en la evaluación de la autorización entre mod_auth y mod_cgi, que permite el acceso no autenticado a scripts CGI. Asegúrese de aplicar la actualización en todos los entornos afectados.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28808 is a vulnerability in Erlang/OTP's inets modules that allows unauthenticated access to CGI scripts due to a path mismatch in access control evaluation. It affects versions 17.0.0 and higher, potentially enabling attackers to execute arbitrary code.
If you are running Erlang/OTP version 17.0.0 or later and are using script_alias to serve CGI scripts, you are potentially affected. Assess your configuration and upgrade as soon as a patch is available.
The primary fix is to upgrade to a patched version of Erlang/OTP. Until then, implement temporary mitigations such as WAF rules and careful configuration of script_alias to prevent access outside the DocumentRoot.
Currently, there are no known active campaigns exploiting CVE-2026-28808, and no public Proof-of-Concept (POC) exploits are available. However, it's crucial to apply the fix or mitigations promptly.
Refer to the Erlang/OTP vendor's security advisories and release notes for the official advisory regarding CVE-2026-28808. Check the Erlang Solutions website for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.