CVE-2026-28808 PUBLISHED

ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)

Assigner: EEF
Reserved: 03.03.2026 Published: 07.04.2026 Updated: 07.04.2026

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.

When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.

This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.

This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Erlang
Product	OTP
Versions	Default: affected affected from 5.10 to * (excl.)

Vendor	Erlang
Product	OTP
Versions	Default: affected affected from 17.0 to * (excl.) affected from 07b8f441ca711f9812fad9e9115bab3c3aa92f79 to * (excl.)

Affected Configurations

The inets httpd server must use script_alias to map a URL prefix to a CGI directory, combined with directory-based access controls (e.g., mod_auth) protecting the script_alias target path. The vulnerability applies whenever the script_alias target path differs from DocumentRoot + URL prefix.

Workarounds

Move CGI scripts inside DocumentRoot and use alias instead of script_alias to ensure mod_auth resolves the correct path.
Apply URL-based access controls at a reverse proxy layer to block unauthenticated access to the script_alias URL prefix.
Remove mod_cgi from the httpd modules chain if CGI functionality is not required.

Credits

Igor Morgenstern / Aisle Research reporter
Konrad Pietrzak remediation developer

References

Problem Types

CWE-863 Incorrect Authorization CWE

Impacts

CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs