Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

EEF-CVE-2026-28808

ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)
Back to all
CVE

EEF-CVE-2026-28808

ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)

Summary

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.

When scriptalias maps a URL prefix to a directory outside DocumentRoot, modauth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.

This vulnerability is associated with program files lib/inets/src/httpserver/modalias.erl, lib/inets/src/httpserver/modauth.erl, and lib/inets/src/httpserver/modcgi.erl.

This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.

Workaround

  • Move CGI scripts inside DocumentRoot and use alias instead of scriptalias to ensure modauth resolves the correct path.
  • Apply URL-based access controls at a reverse proxy layer to block unauthenticated access to the script_alias URL prefix.
  • Remove mod_cgi from the httpd modules chain if CGI functionality is not required.

Configuration

The inets httpd server must use scriptalias to map a URL prefix to a CGI directory, combined with directory-based access controls (e.g., modauth) protecting the scriptalias target path. The vulnerability applies whenever the scriptalias target path differs from DocumentRoot + URL prefix.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.3
-
4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f, https://cna.erlef.org/cves/CVE-2026-28808.html, https://www.erlang.org/doc/system/versions.html#order-of-versions, https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688, https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c

Severity

9.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.8
EPSS Probability
0.00021%
EPSS Percentile
0.05714%
Introduced Version
07b8f441ca711f9812fad9e9115bab3c3aa92f79
Fix Available
9dfa0c51eac97866078e808dec2183cb7871ff7c

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading