CVE-2026-28808

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via scriptalias.  When scriptalias maps a URL prefix to a directory outside DocumentRoot, modauth evaluates directory-based access controls against the DocumentRoot-relative path while modcgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.  This vulnerability is associated with program files lib/inets/src/httpserver/modalias.erl, lib/inets/src/httpserver/modauth.erl, and lib/inets/src/httpserver/modcgi.erl.  This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.