{"schema_version":"1.7.2","id":"OESA-2026-2572","modified":"2026-06-05T15:48:53Z","published":"2026-06-05T15:48:53Z","upstream":["CVE-2026-28808"],"summary":"erlang security update","details":"Erlang is a general-purpose programming language and runtime environment. Erlang has built-in support for concurrency, distribution and fault tolerance. Erlang is used in several large telecommunication systems from Ericsson.\r\n\r\nSecurity Fix(es):\n\nIncorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.\n\nWhen script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.\n\nThis vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.(CVE-2026-28808)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"erlang","purl":"pkg:rpm/openEuler/erlang&distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"25.3.2.6-15.oe2403sp1"}]}],"ecosystem_specific":{"aarch64":["erlang-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-asn1-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-common_test-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-compiler-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-crypto-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-debugger-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-debuginfo-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-debugsource-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-dialyzer-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-diameter-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-edoc-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-eldap-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-erl_docgen-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-erl_interface-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-erts-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-et-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-eunit-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-examples-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-ftp-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-inets-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-jinterface-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-kernel-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-megaco-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-mnesia-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-observer-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-odbc-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-os_mon-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-parsetools-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-public_key-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-reltool-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-runtime_tools-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-sasl-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-snmp-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-src-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-ssh-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-ssl-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-stdlib-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-syntax_tools-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-tftp-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-tools-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-wx-25.3.2.6-15.oe2403sp1.aarch64.rpm","erlang-xmerl-25.3.2.6-15.oe2403sp1.aarch64.rpm"],"src":["erlang-25.3.2.6-15.oe2403sp1.src.rpm"],"x86_64":["erlang-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-asn1-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-common_test-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-compiler-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-crypto-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-debugger-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-debuginfo-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-debugsource-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-dialyzer-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-diameter-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-edoc-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-eldap-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-erl_docgen-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-erl_interface-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-erts-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-et-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-eunit-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-examples-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-ftp-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-inets-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-jinterface-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-kernel-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-megaco-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-mnesia-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-observer-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-odbc-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-os_mon-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-parsetools-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-public_key-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-reltool-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-runtime_tools-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-sasl-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-snmp-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-src-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-ssh-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-ssl-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-stdlib-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-syntax_tools-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-tftp-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-tools-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-wx-25.3.2.6-15.oe2403sp1.x86_64.rpm","erlang-xmerl-25.3.2.6-15.oe2403sp1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2572"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28808"}],"database_specific":{"severity":"Critical"}}