OESA-2026-2572

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2572

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2026-2572.json

JSON Data

https://api.osv.dev/v1/vulns/OESA-2026-2572

Upstream

CVE-2026-28808

Published

2026-06-05T15:48:53Z

Modified

2026-06-05T16:00:42.399032148Z

Summary

erlang security update

Details

Erlang is a general-purpose programming language and runtime environment. Erlang has built-in support for concurrency, distribution and fault tolerance. Erlang is used in several large telecommunication systems from Ericsson.

Security Fix(es):

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.

When scriptalias maps a URL prefix to a directory outside DocumentRoot, modauth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.

This vulnerability is associated with program files lib/inets/src/httpserver/modalias.erl, lib/inets/src/httpserver/modauth.erl, and lib/inets/src/httpserver/modcgi.erl.

This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.(CVE-2026-28808)

Database specific

{
    "severity": "Critical"
}

References

Affected packages

openEuler:24.03-LTS-SP1 / erlang

Package

Name: erlang
Purl: pkg:rpm/openEuler/erlang&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

25.3.2.6-15.oe2403sp1

Ecosystem specific

{
    "aarch64": [
        "erlang-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-asn1-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-common_test-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-compiler-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-crypto-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-debugger-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-debuginfo-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-debugsource-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-dialyzer-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-diameter-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-edoc-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-eldap-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-erl_docgen-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-erl_interface-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-erts-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-et-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-eunit-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-examples-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-ftp-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-inets-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-jinterface-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-kernel-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-megaco-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-mnesia-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-observer-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-odbc-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-os_mon-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-parsetools-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-public_key-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-reltool-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-runtime_tools-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-sasl-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-snmp-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-src-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-ssh-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-ssl-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-stdlib-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-syntax_tools-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-tftp-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-tools-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-wx-25.3.2.6-15.oe2403sp1.aarch64.rpm",
        "erlang-xmerl-25.3.2.6-15.oe2403sp1.aarch64.rpm"
    ],
    "src": [
        "erlang-25.3.2.6-15.oe2403sp1.src.rpm"
    ],
    "x86_64": [
        "erlang-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-asn1-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-common_test-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-compiler-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-crypto-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-debugger-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-debuginfo-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-debugsource-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-dialyzer-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-diameter-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-edoc-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-eldap-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-erl_docgen-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-erl_interface-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-erts-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-et-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-eunit-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-examples-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-ftp-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-inets-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-jinterface-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-kernel-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-megaco-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-mnesia-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-observer-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-odbc-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-os_mon-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-parsetools-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-public_key-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-reltool-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-runtime_tools-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-sasl-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-snmp-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-src-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-ssh-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-ssl-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-stdlib-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-syntax_tools-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-tftp-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-tools-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-wx-25.3.2.6-15.oe2403sp1.x86_64.rpm",
        "erlang-xmerl-25.3.2.6-15.oe2403sp1.x86_64.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-2572.json"