Cyber Posture

CVE-2026-28808

Critical

Published: 07 April 2026

Published
07 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 10.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28808 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Erlang Erlang\/Inets. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation through patching Erlang/OTP inets modules directly eliminates the authorization bypass vulnerability.

AC-3 Access Enforcement good match
prevent

Access enforcement ensures logical access controls are properly applied to CGI scripts regardless of script_alias path mappings, preventing unauthorized execution.

CM-6 Configuration Settings partial match
prevent

Secure configuration settings for inets modules restrict script_alias usage and directory rules to avoid exposing protected CGI scripts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The CVE describes a remote unauthenticated authorization bypass in the public-facing inets HTTP server (Erlang/OTP) that enables direct execution of protected CGI scripts, which maps directly to exploitation of Internet-facing applications for initial access and arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the…

more

DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.

Deeper analysisAI

CVE-2026-28808 is an Incorrect Authorization vulnerability (CWE-863) in the inets modules of Erlang/OTP, specifically affecting the files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. The flaw arises when script_alias maps a URL prefix to a directory outside the DocumentRoot; mod_auth evaluates directory-based access controls against the DocumentRoot-relative path, while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch enables unauthenticated access to CGI scripts intended to be protected by directory rules. The vulnerability impacts Erlang/OTP versions from 17.0 up to but not including 28.4.2, 27.3.4.10, and 26.2.5.19, corresponding to inets versions from 5.10 up to but not including 9.6.2, 9.3.2.4, and 9.1.0.6. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending requests to CGI scripts exposed via script_alias configurations, attackers bypass directory-based authentication rules, gaining unauthorized execution of those scripts. Successful exploitation can result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution, data exfiltration, or system compromise depending on the CGI scripts' privileges and functions.

Advisories and patches, detailed in sources such as the ERLEF CNA page, GitHub security advisory GHSA-3vhp-h532-mc3f, and specific commit fixes (8fc71ac6af4fbcc54103bec2983ef22e82942688 and 9dfa0c51eac97866078e808dec2183cb7871ff7c), recommend upgrading to remediated versions: OTP 28.4.2, 27.3.3.4.10, or 26.2.5.19 (with corresponding inets 9.6.2, 9.3.2.4, or 9.1.0.6). No workarounds are specified beyond avoiding script_alias for protected CGI scripts or reviewing configurations.

Details

CWE(s)
CWE-863

Affected Products

erlang
erlang\/inets
5.10 — 9.1.0.6 · 9.2 — 9.3.2.4 · 9.4 — 9.6.2
erlang
erlang\/otp
17.0 — 26.2.5.19 · 27.0 — 27.3.4.10 · 28.0 — 28.4.2

CVEs Like This One

CVE-2026-34376Shared CWE-863
CVE-2026-23989Shared CWE-863
CVE-2026-4933Shared CWE-863
CVE-2026-31887Shared CWE-863
CVE-2026-34532Shared CWE-863
CVE-2026-21309Shared CWE-863
CVE-2026-29087Shared CWE-863
CVE-2026-26308Shared CWE-863
CVE-2024-13277Shared CWE-863
CVE-2026-25875Shared CWE-863

References