Auth bypass in Erlang Otp

CVE-2026-28808

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside Documen…

Vulnerability class: Broken Access Control

EPSS: 0.000 (11.1th percentile) — read the EPSS interpretation.

Affected products

  • Erlang Otp — versions 5.10, 17.0, 07b8f441ca711f9812fad9e9115bab3c3aa92f79

Weakness classification (CWE)

References