CVE-2026-21620 PUBLISHED

TFTP Path Traversal

Assigner: EEF
Reserved: 01.01.2026 Published: 20.02.2026 Updated: 20.02.2026

Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl.

This issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 2.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Erlang
Product	OTP
Versions	Default: unaffected affected from 17.0 to * (excl.) affected from 07b8f441ca711f9812fad9e9115bab3c3aa92f79 to * (excl.)

Vendor	Erlang
Product	OTP
Versions	Default: unaffected affected from pkg:otp/inets@5.10 to pkg:otp/inets@7.0 (excl.) affected from 5.10 to 7.0 (excl.)

Vendor	Erlang
Product	OTP
Versions	Default: unaffected affected from pkg:otp/tftp@1.0 to pkg:otp/tftp@* (excl.) affected from 1.0 to * (excl.)

Credits

Luigino Camastra reporter
Jakub Witczak remediation reviewer
Raimo Niskanen remediation developer

References

Problem Types

CWE-23 Relative Path Traversal CWE

Impacts

CAPEC-139 Relative Path Traversal