Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for erlang\/inets by erlang

    CVE-2026-48858 (GCVE-0-2026-48858)

    Vulnerability from nvd – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
    VLAI
    Title
    ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks
    Summary
    Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address. The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client's data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts. The vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer. The ftp application is deprecated and scheduled for removal in OTP-30. This vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later). This issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 5.10.4 , < 7.0 (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 1.0 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.4 , < * (otp)
    Affected: be95772ee1fcfe71045ef070130bea7a910b81e3 , < * (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Jonatan Männchen / EEF Jonatan Männchen / EEF Ingela Anderton Andin
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48858",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-10T16:20:57.662713Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-10T16:21:08.893Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ftp_internal"
              ],
              "packageName": "inets",
              "packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ftp/ftp_internal.erl"
              ],
              "programRoutines": [
                {
                  "name": "ftp_internal:handle_ctrl_result/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "lessThan": "7.0",
                  "status": "affected",
                  "version": "5.10.4",
                  "versionType": "otp"
                }
              ]
            },
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ftp_internal"
              ],
              "packageName": "ftp",
              "packageURL": "pkg:otp/ftp?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ftp_internal.erl"
              ],
              "programRoutines": [
                {
                  "name": "ftp_internal:handle_ctrl_result/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.2.6",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.2.4.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.2.3.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ftp_internal"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/inets/src/ftp/ftp_internal.erl",
                "lib/ftp/src/ftp_internal.erl"
              ],
              "programRoutines": [
                {
                  "name": "ftp_internal:handle_ctrl_result/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "29.0.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "28.5.0.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.13",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.4",
                  "versionType": "otp"
                },
                {
                  "changes": [
                    {
                      "at": "2691a806231ffd0490a8a9e20500dec0c7e73727",
                      "status": "unaffected"
                    },
                    {
                      "at": "521bcfa24407ee8cb5614823cf905c37ea3aa605",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "be95772ee1fcfe71045ef070130bea7a910b81e3",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The vulnerable path is active under the default configuration: \u003ctt\u003emode=passive\u003c/tt\u003e, \u003ctt\u003eipfamily=inet\u003c/tt\u003e, and \u003ctt\u003eftp_extension=false\u003c/tt\u003e are all defaults for \u003ctt\u003eftp:open/2\u003c/tt\u003e."
                }
              ],
              "value": "The vulnerable path is active under the default configuration: mode=passive, ipfamily=inet, and ftp_extension=false are all defaults for ftp:open/2."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.13",
                      "versionStartIncluding": "17.4",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.5.0.2",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "29.0.2",
                      "versionStartIncluding": "29.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Ingela Anderton Andin"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eServer-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eftp_internal:handle_ctrl_result/2\u003c/tt\u003e PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server\u0027s 227 response and passes it directly to \u003ctt\u003egen_tcp:connect/4\u003c/tt\u003e without validating it against the control connection peer address. The adjacent EPSV handlers correctly call \u003ctt\u003epeername(CSock)\u003c/tt\u003e to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client\u0027s data connection to an arbitrary internal host and port. On read operations (\u003ctt\u003eftp:ls/1,2\u003c/tt\u003e, \u003ctt\u003eftp:nlist/1,2\u003c/tt\u003e, \u003ctt\u003eftp:recv/2,3\u003c/tt\u003e), data from the redirected target is returned to the caller. On write operations (\u003ctt\u003eftp:send/2,3\u003c/tt\u003e, \u003ctt\u003eftp:append/2,3\u003c/tt\u003e), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.\u003c/p\u003e\u003cp\u003eThe vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eftp\u003c/tt\u003e application is deprecated and scheduled for removal in OTP-30.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/ftp/ftp_internal.erl\u003c/tt\u003e (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and \u003ctt\u003elib/ftp/src/ftp_internal.erl\u003c/tt\u003e (ftp 1.0 and later, OTP 21.0 and later).\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.\u003c/p\u003e"
                }
              ],
              "value": "Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.\n\nThe ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server\u0027s 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client\u0027s data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.\n\nThe vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.\n\nThe ftp application is deprecated and scheduled for removal in OTP-30.\n\nThis vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later).\n\nThis issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-11T04:45:36.460Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-24cv-hwgr-37fq"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-48858.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48858"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/2691a806231ffd0490a8a9e20500dec0c7e73727"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/521bcfa24407ee8cb5614823cf905c37ea3aa605"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Pass \u003ctt\u003e{ftp_extension, true}\u003c/tt\u003e to \u003ctt\u003eftp:open/2\u003c/tt\u003e to use EPSV instead of PASV. Alternatively, pass \u003ctt\u003e{mode, active}\u003c/tt\u003e to use active mode, or pass \u003ctt\u003e{ipfamily, inet6}\u003c/tt\u003e to force IPv6, both of which bypass the vulnerable PASV path."
                }
              ],
              "value": "Pass {ftp_extension, true} to ftp:open/2 to use EPSV instead of PASV. Alternatively, pass {mode, active} to use active mode, or pass {ipfamily, inet6} to force IPv6, both of which bypass the vulnerable PASV path."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-48858",
        "datePublished": "2026-06-10T14:35:45.466Z",
        "dateReserved": "2026-05-25T20:44:10.697Z",
        "dateUpdated": "2026-06-11T04:45:36.460Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48856 (GCVE-0-2026-48856)

    Vulnerability from nvd – Published: 2026-06-10 14:41 – Updated: 2026-06-11 04:45
    VLAI
    Title
    httpc leaks Authorization header to cross-origin redirect targets
    Summary
    Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host. autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects. An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header. This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl. This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 5.10 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 84adefa331c4159d432d22840663c38f155cd4c1 , < 688d748d6f7a6a06b13b662a1d3de8af97079612 (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Jonatan Männchen / EEF Jonatan Männchen / EEF Ingela Anderton Andin Konrad Pietrzak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48856",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-10T16:23:52.053802Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-10T16:24:02.066Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "httpc_response"
              ],
              "packageName": "inets",
              "packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/http_client/httpc_response.erl"
              ],
              "programRoutines": [
                {
                  "name": "httpc_response:redirect/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "9.7.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "9.6.2.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "9.3.2.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "5.10",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "httpc_response"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/inets/src/http_client/httpc_response.erl"
              ],
              "programRoutines": [
                {
                  "name": "httpc_response:redirect/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "29.0.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "28.5.0.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.13",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "lessThan": "688d748d6f7a6a06b13b662a1d3de8af97079612",
                  "status": "affected",
                  "version": "84adefa331c4159d432d22840663c38f155cd4c1",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.13",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.5.0.2",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "29.0.2",
                      "versionStartIncluding": "29.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Ingela Anderton Andin"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Konrad Pietrzak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Sensitive Data Exposure vulnerability in Erlang OTP inets (\u003ctt\u003ehttpc_response\u003c/tt\u003e module) allows Retrieve Embedded Sensitive Data.\u003cp\u003eThe \u003ctt\u003ehttpc\u003c/tt\u003e client forwards the \u003ctt\u003eAuthorization\u003c/tt\u003e and \u003ctt\u003eProxy-Authorization\u003c/tt\u003e request headers to redirect targets without checking whether the redirect crosses an origin boundary. \u003ctt\u003ehttpc_response:redirect/2\u003c/tt\u003e constructs the redirected request by updating only the \u003ctt\u003ehost\u003c/tt\u003e field of the header record; all other fields (including \u003ctt\u003eauthorization\u003c/tt\u003e and \u003ctt\u003eproxy_authorization\u003c/tt\u003e) are copied verbatim. The redirect target host is never compared against the original host.\u003c/p\u003e\u003cp\u003e\u003ctt\u003eautoredirect\u003c/tt\u003e defaults to \u003ctt\u003etrue\u003c/tt\u003e, so this affects all \u003ctt\u003ehttpc\u003c/tt\u003e callers that do not explicitly disable automatic redirects.\u003c/p\u003e\u003cp\u003eAn attacker who controls a server that the victim contacts via \u003ctt\u003ehttpc\u003c/tt\u003e can issue a cross-origin 3xx redirect to a server they also control. The \u003ctt\u003eAuthorization\u003c/tt\u003e header (including Basic credentials derived from URL userinfo via \u003ctt\u003ehttpc_request:handle_user_info/2\u003c/tt\u003e) is forwarded to the redirect target, allowing credential theft. The same applies to the \u003ctt\u003eProxy-Authorization\u003c/tt\u003e header.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/http_client/httpc_response.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.\u003c/p\u003e"
                }
              ],
              "value": "Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data.\n\nThe httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host.\n\nautoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects.\n\nAn attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header.\n\nThis vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl.\n\nThis issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-11T04:45:35.836Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-48856.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48856"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/688d748d6f7a6a06b13b662a1d3de8af97079612"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "httpc leaks Authorization header to cross-origin redirect targets",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eSet \u003ctt\u003e{autoredirect, false}\u003c/tt\u003e in the \u003ctt\u003ehttpc:request/4\u003c/tt\u003e options and handle redirects manually, stripping the \u003ctt\u003eAuthorization\u003c/tt\u003e header when the redirect crosses an origin boundary.\u003c/li\u003e\u003cli\u003eEnsure that \u003ctt\u003ehttpc\u003c/tt\u003e is only used to contact trusted servers that will not issue cross-origin redirects.\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "* Set {autoredirect, false} in the httpc:request/4 options and handle redirects manually, stripping the Authorization header when the redirect crosses an origin boundary.\n* Ensure that httpc is only used to contact trusted servers that will not issue cross-origin redirects."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-48856",
        "datePublished": "2026-06-10T14:41:51.616Z",
        "dateReserved": "2026-05-25T20:44:10.697Z",
        "dateUpdated": "2026-06-11T04:45:35.836Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28808 (GCVE-0-2026-28808)

    Vulnerability from nvd – Published: 2026-04-07 12:28 – Updated: 2026-07-01 04:45
    VLAI
    Title
    ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)
    Summary
    Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    • CWE-551 - Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 5.10 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 07b8f441ca711f9812fad9e9115bab3c3aa92f79 , < * (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Red Hat Red Hat OpenStack Platform 16.2     cpe:/a:redhat:openstack:16.2
    Create a notification for this product.
    Red Hat Red Hat OpenStack Platform 17.1     cpe:/a:redhat:openstack:17.1
    Create a notification for this product.
    Red Hat Red Hat OpenStack Platform 18.0     cpe:/a:redhat:openstack:18.0
    Create a notification for this product.
    Credits
    Igor Morgenstern / Aisle Research Konrad Pietrzak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28808",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T13:14:10.515632Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T13:14:16.481Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openstack:16.2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenStack Platform 16.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openstack:17.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenStack Platform 17.1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openstack:18.0"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenStack Platform 18.0",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-07T12:28:16.056Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Erlang OTP (inets modules). A remote unauthenticated attacker could exploit an incorrect authorization vulnerability when CGI (Common Gateway Interface) scripts are served via script_alias. This vulnerability arises from a path mismatch where access controls are evaluated against a different path than the script\u0027s execution path. This allows unauthorized access to CGI scripts intended to be protected by directory rules, potentially leading to information disclosure or the execution of unauthorized scripts."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.4,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-551",
                    "description": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:07:58.601Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-28808"
              },
              {
                "name": "RHBZ#2455909",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455909"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-28808.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-07T13:01:42.326Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-07T12:28:16.056Z",
                "value": "Made public."
              }
            ],
            "title": "erlang/otp: inets: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "affected",
              "modules": [
                "inets"
              ],
              "packageName": "inets",
              "packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/http_server/mod_alias.erl",
                "src/http_server/mod_auth.erl",
                "src/http_server/mod_cgi.erl"
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "9.6.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "9.3.2.4",
                      "status": "unaffected"
                    },
                    {
                      "at": "9.1.0.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "5.10",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "affected",
              "modules": [
                "inets"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/inets/src/http_server/mod_alias.erl",
                "lib/inets/src/http_server/mod_auth.erl",
                "lib/inets/src/http_server/mod_cgi.erl"
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "28.4.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.10",
                      "status": "unaffected"
                    },
                    {
                      "at": "26.2.5.19",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "changes": [
                    {
                      "at": "8fc71ac6af4fbcc54103bec2983ef22e82942688",
                      "status": "unaffected"
                    },
                    {
                      "at": "9dfa0c51eac97866078e808dec2183cb7871ff7c",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The inets httpd server must use \u003ctt\u003escript_alias\u003c/tt\u003e to map a URL prefix to a CGI directory, combined with \u003ctt\u003edirectory\u003c/tt\u003e-based access controls (e.g., \u003ctt\u003emod_auth\u003c/tt\u003e) protecting the \u003ctt\u003escript_alias\u003c/tt\u003e target path. The vulnerability applies whenever the \u003ctt\u003escript_alias\u003c/tt\u003e target path differs from \u003ctt\u003eDocumentRoot\u003c/tt\u003e + URL prefix."
                }
              ],
              "value": "The inets httpd server must use script_alias to map a URL prefix to a CGI directory, combined with directory-based access controls (e.g., mod_auth) protecting the script_alias target path. The vulnerability applies whenever the script_alias target path differs from DocumentRoot + URL prefix."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "26.2.5.19",
                      "versionStartIncluding": "17.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.10",
                      "versionStartIncluding": "27.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.4.2",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Igor Morgenstern / Aisle Research"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Konrad Pietrzak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by \u003ctt\u003edirectory\u003c/tt\u003e rules when served via \u003ctt\u003escript_alias\u003c/tt\u003e.\u003cp\u003eWhen \u003ctt\u003escript_alias\u003c/tt\u003e maps a URL prefix to a directory outside \u003ctt\u003eDocumentRoot\u003c/tt\u003e, \u003ctt\u003emod_auth\u003c/tt\u003e evaluates \u003ctt\u003edirectory\u003c/tt\u003e-based access controls against the \u003ctt\u003eDocumentRoot\u003c/tt\u003e-relative path while \u003ctt\u003emod_cgi\u003c/tt\u003e executes the script at the \u003ctt\u003eScriptAlias\u003c/tt\u003e-resolved path. This path mismatch allows unauthenticated access to CGI scripts that \u003ctt\u003edirectory\u003c/tt\u003e rules were meant to protect.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/http_server/mod_alias.erl\u003c/tt\u003e, \u003ctt\u003elib/inets/src/http_server/mod_auth.erl\u003c/tt\u003e, and \u003ctt\u003elib/inets/src/http_server/mod_cgi.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.\n\nWhen script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.\n\nThis vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T04:45:33.019Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-28808.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-28808"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eMove CGI scripts inside \u003ctt\u003eDocumentRoot\u003c/tt\u003e and use \u003ctt\u003ealias\u003c/tt\u003e instead of \u003ctt\u003escript_alias\u003c/tt\u003e to ensure \u003ctt\u003emod_auth\u003c/tt\u003e resolves the correct path.\u003c/li\u003e\u003cli\u003eApply URL-based access controls at a reverse proxy layer to block unauthenticated access to the \u003ctt\u003escript_alias\u003c/tt\u003e URL prefix.\u003c/li\u003e\u003cli\u003eRemove \u003ctt\u003emod_cgi\u003c/tt\u003e from the httpd modules chain if CGI functionality is not required.\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "* Move CGI scripts inside DocumentRoot and use alias instead of script_alias to ensure mod_auth resolves the correct path.\n* Apply URL-based access controls at a reverse proxy layer to block unauthenticated access to the script_alias URL prefix.\n* Remove mod_cgi from the httpd modules chain if CGI functionality is not required."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-28808",
        "datePublished": "2026-04-07T12:28:16.056Z",
        "dateReserved": "2026-03-03T14:40:00.590Z",
        "dateUpdated": "2026-07-01T04:45:33.019Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23941 (GCVE-0-2026-23941)

    Vulnerability from nvd – Published: 2026-03-13 09:11 – Updated: 2026-05-27 15:40
    VLAI
    Title
    Request smuggling via first-wins Content-Length parsing in inets httpd
    Summary
    Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7. The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 5.10 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 0 , < * (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Luigino Camastra / Aisle Research Konrad Pietrzak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23941",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-13T16:00:50.466386Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-13T16:00:56.733Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "httpd_request"
              ],
              "packageName": "inets",
              "packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/http_server/httpd_request.erl"
              ],
              "programRoutines": [
                {
                  "name": "httpd_request:parse_headers/7"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "9.6.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "9.3.2.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "9.1.0.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "5.10",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "httpd_request"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/inets/src/http_server/httpd_request.erl"
              ],
              "programRoutines": [
                {
                  "name": "httpd_request:parse_headers/7"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "28.4.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.9",
                      "status": "unaffected"
                    },
                    {
                      "at": "26.2.5.18",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "changes": [
                    {
                      "at": "a4b46336fd25aa100ac602eb9a627aaead7eda18",
                      "status": "unaffected"
                    },
                    {
                      "at": "a761d391d8d08316cbd7d4a86733ba932b73c45b",
                      "status": "unaffected"
                    },
                    {
                      "at": "e775a332f623851385ab6ddb866d9b150612ddf6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The inets httpd server must be deployed behind a reverse proxy that honors a different Content-Length header than httpd (e.g., last vs. first). HTTP keep-alive must be enabled (the default)."
                }
              ],
              "value": "The inets httpd server must be deployed behind a reverse proxy that honors a different Content-Length header than httpd (e.g., last vs. first). HTTP keep-alive must be enabled (the default)."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "26.2.5.18",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.9",
                      "versionStartIncluding": "27.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.4.1",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Luigino Camastra / Aisle Research"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Konrad Pietrzak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027) vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling.\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/http_server/httpd_request.erl\u003c/tt\u003e and program routines \u003ctt\u003ehttpd_request:parse_headers/7\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.\u003c/p\u003e"
                }
              ],
              "value": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027) vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling.\n\nThis vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7.\n\nThe server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-33",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-33 HTTP Request Smuggling"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:40:34.616Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-w4jc-9wpv-pqh7"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-23941.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-23941"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/a4b46336fd25aa100ac602eb9a627aaead7eda18"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/a761d391d8d08316cbd7d4a86733ba932b73c45b"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/e775a332f623851385ab6ddb866d9b150612ddf6"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Request smuggling via first-wins Content-Length parsing in inets httpd",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eConfigure frontend proxy to reject requests with duplicate Content-Length headers.\u003c/li\u003e\u003cli\u003eDisable HTTP keep-alive on httpd by adding \u003ctt\u003e{keep_alive, false}\u003c/tt\u003e to httpd configuration. Note: This impacts performance for clients making multiple requests.\u003c/li\u003e\u003cli\u003eDeploy a Web Application Firewall (WAF) configured to reject requests with multiple Content-Length headers.\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "* Configure frontend proxy to reject requests with duplicate Content-Length headers.\n* Disable HTTP keep-alive on httpd by adding `{keep_alive, false}` to httpd configuration. Note: This impacts performance for clients making multiple requests.\n* Deploy a Web Application Firewall (WAF) configured to reject requests with multiple Content-Length headers."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-23941",
        "datePublished": "2026-03-13T09:11:58.175Z",
        "dateReserved": "2026-01-19T14:23:14.343Z",
        "dateUpdated": "2026-05-27T15:40:34.616Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48856 (GCVE-0-2026-48856)

    Vulnerability from cvelistv5 – Published: 2026-06-10 14:41 – Updated: 2026-06-11 04:45
    VLAI
    Title
    httpc leaks Authorization header to cross-origin redirect targets
    Summary
    Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host. autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects. An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header. This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl. This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 5.10 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 84adefa331c4159d432d22840663c38f155cd4c1 , < 688d748d6f7a6a06b13b662a1d3de8af97079612 (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Jonatan Männchen / EEF Jonatan Männchen / EEF Ingela Anderton Andin Konrad Pietrzak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48856",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-10T16:23:52.053802Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-10T16:24:02.066Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "httpc_response"
              ],
              "packageName": "inets",
              "packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/http_client/httpc_response.erl"
              ],
              "programRoutines": [
                {
                  "name": "httpc_response:redirect/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "9.7.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "9.6.2.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "9.3.2.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "5.10",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "httpc_response"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/inets/src/http_client/httpc_response.erl"
              ],
              "programRoutines": [
                {
                  "name": "httpc_response:redirect/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "29.0.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "28.5.0.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.13",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "lessThan": "688d748d6f7a6a06b13b662a1d3de8af97079612",
                  "status": "affected",
                  "version": "84adefa331c4159d432d22840663c38f155cd4c1",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.13",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.5.0.2",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "29.0.2",
                      "versionStartIncluding": "29.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Ingela Anderton Andin"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Konrad Pietrzak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Sensitive Data Exposure vulnerability in Erlang OTP inets (\u003ctt\u003ehttpc_response\u003c/tt\u003e module) allows Retrieve Embedded Sensitive Data.\u003cp\u003eThe \u003ctt\u003ehttpc\u003c/tt\u003e client forwards the \u003ctt\u003eAuthorization\u003c/tt\u003e and \u003ctt\u003eProxy-Authorization\u003c/tt\u003e request headers to redirect targets without checking whether the redirect crosses an origin boundary. \u003ctt\u003ehttpc_response:redirect/2\u003c/tt\u003e constructs the redirected request by updating only the \u003ctt\u003ehost\u003c/tt\u003e field of the header record; all other fields (including \u003ctt\u003eauthorization\u003c/tt\u003e and \u003ctt\u003eproxy_authorization\u003c/tt\u003e) are copied verbatim. The redirect target host is never compared against the original host.\u003c/p\u003e\u003cp\u003e\u003ctt\u003eautoredirect\u003c/tt\u003e defaults to \u003ctt\u003etrue\u003c/tt\u003e, so this affects all \u003ctt\u003ehttpc\u003c/tt\u003e callers that do not explicitly disable automatic redirects.\u003c/p\u003e\u003cp\u003eAn attacker who controls a server that the victim contacts via \u003ctt\u003ehttpc\u003c/tt\u003e can issue a cross-origin 3xx redirect to a server they also control. The \u003ctt\u003eAuthorization\u003c/tt\u003e header (including Basic credentials derived from URL userinfo via \u003ctt\u003ehttpc_request:handle_user_info/2\u003c/tt\u003e) is forwarded to the redirect target, allowing credential theft. The same applies to the \u003ctt\u003eProxy-Authorization\u003c/tt\u003e header.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/http_client/httpc_response.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.\u003c/p\u003e"
                }
              ],
              "value": "Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data.\n\nThe httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host.\n\nautoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects.\n\nAn attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header.\n\nThis vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl.\n\nThis issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-11T04:45:35.836Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-48856.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48856"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/688d748d6f7a6a06b13b662a1d3de8af97079612"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "httpc leaks Authorization header to cross-origin redirect targets",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eSet \u003ctt\u003e{autoredirect, false}\u003c/tt\u003e in the \u003ctt\u003ehttpc:request/4\u003c/tt\u003e options and handle redirects manually, stripping the \u003ctt\u003eAuthorization\u003c/tt\u003e header when the redirect crosses an origin boundary.\u003c/li\u003e\u003cli\u003eEnsure that \u003ctt\u003ehttpc\u003c/tt\u003e is only used to contact trusted servers that will not issue cross-origin redirects.\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "* Set {autoredirect, false} in the httpc:request/4 options and handle redirects manually, stripping the Authorization header when the redirect crosses an origin boundary.\n* Ensure that httpc is only used to contact trusted servers that will not issue cross-origin redirects."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-48856",
        "datePublished": "2026-06-10T14:41:51.616Z",
        "dateReserved": "2026-05-25T20:44:10.697Z",
        "dateUpdated": "2026-06-11T04:45:35.836Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48858 (GCVE-0-2026-48858)

    Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
    VLAI
    Title
    ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks
    Summary
    Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address. The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client's data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts. The vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer. The ftp application is deprecated and scheduled for removal in OTP-30. This vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later). This issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 5.10.4 , < 7.0 (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 1.0 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.4 , < * (otp)
    Affected: be95772ee1fcfe71045ef070130bea7a910b81e3 , < * (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Jonatan Männchen / EEF Jonatan Männchen / EEF Ingela Anderton Andin
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48858",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-10T16:20:57.662713Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-10T16:21:08.893Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ftp_internal"
              ],
              "packageName": "inets",
              "packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ftp/ftp_internal.erl"
              ],
              "programRoutines": [
                {
                  "name": "ftp_internal:handle_ctrl_result/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "lessThan": "7.0",
                  "status": "affected",
                  "version": "5.10.4",
                  "versionType": "otp"
                }
              ]
            },
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ftp_internal"
              ],
              "packageName": "ftp",
              "packageURL": "pkg:otp/ftp?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/ftp_internal.erl"
              ],
              "programRoutines": [
                {
                  "name": "ftp_internal:handle_ctrl_result/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.2.6",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.2.4.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "1.2.3.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "ftp_internal"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/inets/src/ftp/ftp_internal.erl",
                "lib/ftp/src/ftp_internal.erl"
              ],
              "programRoutines": [
                {
                  "name": "ftp_internal:handle_ctrl_result/2"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "29.0.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "28.5.0.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.13",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.4",
                  "versionType": "otp"
                },
                {
                  "changes": [
                    {
                      "at": "2691a806231ffd0490a8a9e20500dec0c7e73727",
                      "status": "unaffected"
                    },
                    {
                      "at": "521bcfa24407ee8cb5614823cf905c37ea3aa605",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "be95772ee1fcfe71045ef070130bea7a910b81e3",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The vulnerable path is active under the default configuration: \u003ctt\u003emode=passive\u003c/tt\u003e, \u003ctt\u003eipfamily=inet\u003c/tt\u003e, and \u003ctt\u003eftp_extension=false\u003c/tt\u003e are all defaults for \u003ctt\u003eftp:open/2\u003c/tt\u003e."
                }
              ],
              "value": "The vulnerable path is active under the default configuration: mode=passive, ipfamily=inet, and ftp_extension=false are all defaults for ftp:open/2."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.13",
                      "versionStartIncluding": "17.4",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.5.0.2",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "29.0.2",
                      "versionStartIncluding": "29.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Ingela Anderton Andin"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eServer-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eftp_internal:handle_ctrl_result/2\u003c/tt\u003e PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server\u0027s 227 response and passes it directly to \u003ctt\u003egen_tcp:connect/4\u003c/tt\u003e without validating it against the control connection peer address. The adjacent EPSV handlers correctly call \u003ctt\u003epeername(CSock)\u003c/tt\u003e to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client\u0027s data connection to an arbitrary internal host and port. On read operations (\u003ctt\u003eftp:ls/1,2\u003c/tt\u003e, \u003ctt\u003eftp:nlist/1,2\u003c/tt\u003e, \u003ctt\u003eftp:recv/2,3\u003c/tt\u003e), data from the redirected target is returned to the caller. On write operations (\u003ctt\u003eftp:send/2,3\u003c/tt\u003e, \u003ctt\u003eftp:append/2,3\u003c/tt\u003e), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.\u003c/p\u003e\u003cp\u003eThe vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eftp\u003c/tt\u003e application is deprecated and scheduled for removal in OTP-30.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/ftp/ftp_internal.erl\u003c/tt\u003e (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and \u003ctt\u003elib/ftp/src/ftp_internal.erl\u003c/tt\u003e (ftp 1.0 and later, OTP 21.0 and later).\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.\u003c/p\u003e"
                }
              ],
              "value": "Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.\n\nThe ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server\u0027s 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client\u0027s data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.\n\nThe vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.\n\nThe ftp application is deprecated and scheduled for removal in OTP-30.\n\nThis vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later).\n\nThis issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-11T04:45:36.460Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-24cv-hwgr-37fq"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-48858.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48858"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/2691a806231ffd0490a8a9e20500dec0c7e73727"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/521bcfa24407ee8cb5614823cf905c37ea3aa605"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Pass \u003ctt\u003e{ftp_extension, true}\u003c/tt\u003e to \u003ctt\u003eftp:open/2\u003c/tt\u003e to use EPSV instead of PASV. Alternatively, pass \u003ctt\u003e{mode, active}\u003c/tt\u003e to use active mode, or pass \u003ctt\u003e{ipfamily, inet6}\u003c/tt\u003e to force IPv6, both of which bypass the vulnerable PASV path."
                }
              ],
              "value": "Pass {ftp_extension, true} to ftp:open/2 to use EPSV instead of PASV. Alternatively, pass {mode, active} to use active mode, or pass {ipfamily, inet6} to force IPv6, both of which bypass the vulnerable PASV path."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-48858",
        "datePublished": "2026-06-10T14:35:45.466Z",
        "dateReserved": "2026-05-25T20:44:10.697Z",
        "dateUpdated": "2026-06-11T04:45:36.460Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28808 (GCVE-0-2026-28808)

    Vulnerability from cvelistv5 – Published: 2026-04-07 12:28 – Updated: 2026-07-01 04:45
    VLAI
    Title
    ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)
    Summary
    Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    • CWE-551 - Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 5.10 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 07b8f441ca711f9812fad9e9115bab3c3aa92f79 , < * (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Red Hat Red Hat OpenStack Platform 16.2     cpe:/a:redhat:openstack:16.2
    Create a notification for this product.
    Red Hat Red Hat OpenStack Platform 17.1     cpe:/a:redhat:openstack:17.1
    Create a notification for this product.
    Red Hat Red Hat OpenStack Platform 18.0     cpe:/a:redhat:openstack:18.0
    Create a notification for this product.
    Credits
    Igor Morgenstern / Aisle Research Konrad Pietrzak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28808",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T13:14:10.515632Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T13:14:16.481Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openstack:16.2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenStack Platform 16.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openstack:17.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenStack Platform 17.1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openstack:18.0"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenStack Platform 18.0",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-07T12:28:16.056Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Erlang OTP (inets modules). A remote unauthenticated attacker could exploit an incorrect authorization vulnerability when CGI (Common Gateway Interface) scripts are served via script_alias. This vulnerability arises from a path mismatch where access controls are evaluated against a different path than the script\u0027s execution path. This allows unauthorized access to CGI scripts intended to be protected by directory rules, potentially leading to information disclosure or the execution of unauthorized scripts."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.4,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-551",
                    "description": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:07:58.601Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-28808"
              },
              {
                "name": "RHBZ#2455909",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455909"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-28808.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-07T13:01:42.326Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-07T12:28:16.056Z",
                "value": "Made public."
              }
            ],
            "title": "erlang/otp: inets: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "affected",
              "modules": [
                "inets"
              ],
              "packageName": "inets",
              "packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/http_server/mod_alias.erl",
                "src/http_server/mod_auth.erl",
                "src/http_server/mod_cgi.erl"
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "9.6.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "9.3.2.4",
                      "status": "unaffected"
                    },
                    {
                      "at": "9.1.0.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "5.10",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "affected",
              "modules": [
                "inets"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/inets/src/http_server/mod_alias.erl",
                "lib/inets/src/http_server/mod_auth.erl",
                "lib/inets/src/http_server/mod_cgi.erl"
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "28.4.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.10",
                      "status": "unaffected"
                    },
                    {
                      "at": "26.2.5.19",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "changes": [
                    {
                      "at": "8fc71ac6af4fbcc54103bec2983ef22e82942688",
                      "status": "unaffected"
                    },
                    {
                      "at": "9dfa0c51eac97866078e808dec2183cb7871ff7c",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The inets httpd server must use \u003ctt\u003escript_alias\u003c/tt\u003e to map a URL prefix to a CGI directory, combined with \u003ctt\u003edirectory\u003c/tt\u003e-based access controls (e.g., \u003ctt\u003emod_auth\u003c/tt\u003e) protecting the \u003ctt\u003escript_alias\u003c/tt\u003e target path. The vulnerability applies whenever the \u003ctt\u003escript_alias\u003c/tt\u003e target path differs from \u003ctt\u003eDocumentRoot\u003c/tt\u003e + URL prefix."
                }
              ],
              "value": "The inets httpd server must use script_alias to map a URL prefix to a CGI directory, combined with directory-based access controls (e.g., mod_auth) protecting the script_alias target path. The vulnerability applies whenever the script_alias target path differs from DocumentRoot + URL prefix."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "26.2.5.19",
                      "versionStartIncluding": "17.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.10",
                      "versionStartIncluding": "27.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.4.2",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Igor Morgenstern / Aisle Research"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Konrad Pietrzak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by \u003ctt\u003edirectory\u003c/tt\u003e rules when served via \u003ctt\u003escript_alias\u003c/tt\u003e.\u003cp\u003eWhen \u003ctt\u003escript_alias\u003c/tt\u003e maps a URL prefix to a directory outside \u003ctt\u003eDocumentRoot\u003c/tt\u003e, \u003ctt\u003emod_auth\u003c/tt\u003e evaluates \u003ctt\u003edirectory\u003c/tt\u003e-based access controls against the \u003ctt\u003eDocumentRoot\u003c/tt\u003e-relative path while \u003ctt\u003emod_cgi\u003c/tt\u003e executes the script at the \u003ctt\u003eScriptAlias\u003c/tt\u003e-resolved path. This path mismatch allows unauthenticated access to CGI scripts that \u003ctt\u003edirectory\u003c/tt\u003e rules were meant to protect.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/http_server/mod_alias.erl\u003c/tt\u003e, \u003ctt\u003elib/inets/src/http_server/mod_auth.erl\u003c/tt\u003e, and \u003ctt\u003elib/inets/src/http_server/mod_cgi.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.\n\nWhen script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.\n\nThis vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T04:45:33.019Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-28808.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-28808"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eMove CGI scripts inside \u003ctt\u003eDocumentRoot\u003c/tt\u003e and use \u003ctt\u003ealias\u003c/tt\u003e instead of \u003ctt\u003escript_alias\u003c/tt\u003e to ensure \u003ctt\u003emod_auth\u003c/tt\u003e resolves the correct path.\u003c/li\u003e\u003cli\u003eApply URL-based access controls at a reverse proxy layer to block unauthenticated access to the \u003ctt\u003escript_alias\u003c/tt\u003e URL prefix.\u003c/li\u003e\u003cli\u003eRemove \u003ctt\u003emod_cgi\u003c/tt\u003e from the httpd modules chain if CGI functionality is not required.\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "* Move CGI scripts inside DocumentRoot and use alias instead of script_alias to ensure mod_auth resolves the correct path.\n* Apply URL-based access controls at a reverse proxy layer to block unauthenticated access to the script_alias URL prefix.\n* Remove mod_cgi from the httpd modules chain if CGI functionality is not required."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-28808",
        "datePublished": "2026-04-07T12:28:16.056Z",
        "dateReserved": "2026-03-03T14:40:00.590Z",
        "dateUpdated": "2026-07-01T04:45:33.019Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23941 (GCVE-0-2026-23941)

    Vulnerability from cvelistv5 – Published: 2026-03-13 09:11 – Updated: 2026-05-27 15:40
    VLAI
    Title
    Request smuggling via first-wins Content-Length parsing in inets httpd
    Summary
    Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7. The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    Erlang OTP Affected: 5.10 , < * (otp)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
    Affected: 0 , < * (git)
        cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Luigino Camastra / Aisle Research Konrad Pietrzak
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23941",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-13T16:00:50.466386Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-13T16:00:56.733Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "httpd_request"
              ],
              "packageName": "inets",
              "packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
              "product": "OTP",
              "programFiles": [
                "src/http_server/httpd_request.erl"
              ],
              "programRoutines": [
                {
                  "name": "httpd_request:parse_headers/7"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "9.6.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "9.3.2.3",
                      "status": "unaffected"
                    },
                    {
                      "at": "9.1.0.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "5.10",
                  "versionType": "otp"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unknown",
              "modules": [
                "httpd_request"
              ],
              "packageName": "erlang/otp",
              "packageURL": "pkg:github/erlang/otp",
              "product": "OTP",
              "programFiles": [
                "lib/inets/src/http_server/httpd_request.erl"
              ],
              "programRoutines": [
                {
                  "name": "httpd_request:parse_headers/7"
                }
              ],
              "repo": "https://github.com/erlang/otp",
              "vendor": "Erlang",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "28.4.1",
                      "status": "unaffected"
                    },
                    {
                      "at": "27.3.4.9",
                      "status": "unaffected"
                    },
                    {
                      "at": "26.2.5.18",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "otp"
                },
                {
                  "changes": [
                    {
                      "at": "a4b46336fd25aa100ac602eb9a627aaead7eda18",
                      "status": "unaffected"
                    },
                    {
                      "at": "a761d391d8d08316cbd7d4a86733ba932b73c45b",
                      "status": "unaffected"
                    },
                    {
                      "at": "e775a332f623851385ab6ddb866d9b150612ddf6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The inets httpd server must be deployed behind a reverse proxy that honors a different Content-Length header than httpd (e.g., last vs. first). HTTP keep-alive must be enabled (the default)."
                }
              ],
              "value": "The inets httpd server must be deployed behind a reverse proxy that honors a different Content-Length header than httpd (e.g., last vs. first). HTTP keep-alive must be enabled (the default)."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "26.2.5.18",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "27.3.4.9",
                      "versionStartIncluding": "27.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "28.4.1",
                      "versionStartIncluding": "28.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Luigino Camastra / Aisle Research"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Konrad Pietrzak"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027) vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling.\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/http_server/httpd_request.erl\u003c/tt\u003e and program routines \u003ctt\u003ehttpd_request:parse_headers/7\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.\u003c/p\u003e"
                }
              ],
              "value": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027) vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling.\n\nThis vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7.\n\nThe server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-33",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-33 HTTP Request Smuggling"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:40:34.616Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/erlang/otp/security/advisories/GHSA-w4jc-9wpv-pqh7"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-23941.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-23941"
            },
            {
              "tags": [
                "x_version-scheme"
              ],
              "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/a4b46336fd25aa100ac602eb9a627aaead7eda18"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/a761d391d8d08316cbd7d4a86733ba932b73c45b"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/erlang/otp/commit/e775a332f623851385ab6ddb866d9b150612ddf6"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Request smuggling via first-wins Content-Length parsing in inets httpd",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003eConfigure frontend proxy to reject requests with duplicate Content-Length headers.\u003c/li\u003e\u003cli\u003eDisable HTTP keep-alive on httpd by adding \u003ctt\u003e{keep_alive, false}\u003c/tt\u003e to httpd configuration. Note: This impacts performance for clients making multiple requests.\u003c/li\u003e\u003cli\u003eDeploy a Web Application Firewall (WAF) configured to reject requests with multiple Content-Length headers.\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "* Configure frontend proxy to reject requests with duplicate Content-Length headers.\n* Disable HTTP keep-alive on httpd by adding `{keep_alive, false}` to httpd configuration. Note: This impacts performance for clients making multiple requests.\n* Deploy a Web Application Firewall (WAF) configured to reject requests with multiple Content-Length headers."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-23941",
        "datePublished": "2026-03-13T09:11:58.175Z",
        "dateReserved": "2026-01-19T14:23:14.343Z",
        "dateUpdated": "2026-05-27T15:40:34.616Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }