{"id":"EEF-CVE-2026-21620","summary":"TFTP Path Traversal","details":"## Summary\n\nRelative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl.\n\nThis issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0.\n\n## Configuration\n\nA TFTP server must be started and the TFTP port must be reachable by the attacker, using the tftp application (or the legacy inets TFTP service) with the tftp_file callback module configured with the {root_dir, Dir} option.","aliases":["CVE-2026-21620","GHSA-hmrc-prh3-rpvp"],"modified":"2026-05-27T16:00:16.101201715Z","published":"2026-02-20T10:57:08.620Z","database_specific":{"cwe_ids":["CWE-23"],"cpe_ids":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"capec_ids":["CAPEC-139"]},"references":[{"type":"ADVISORY","url":"https://github.com/erlang/otp/security/advisories/GHSA-hmrc-prh3-rpvp"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-21620.html"},{"type":"WEB","url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"},{"type":"FIX","url":"https://github.com/erlang/otp/pull/10706"},{"type":"FIX","url":"https://github.com/erlang/otp/commit/696fdec922661d4a3cc528fc34bc24fae8d4ad8a"},{"type":"FIX","url":"https://github.com/erlang/otp/commit/3970738f687325138eb75f798054fa8960ac354e"},{"type":"FIX","url":"https://github.com/erlang/otp/commit/655fb95725ba2fb811740b57e106873833824344"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/erlang/otp","events":[{"introduced":"07b8f441ca711f9812fad9e9115bab3c3aa92f79"},{"fixed":"655fb95725ba2fb811740b57e106873833824344"},{"fixed":"3970738f687325138eb75f798054fa8960ac354e"},{"fixed":"696fdec922661d4a3cc528fc34bc24fae8d4ad8a"}]}],"versions":["patch-base-26","OTP-26.2.5","patch-base-27","OTP-27.3.4","OTP-26.2.5.9","OTP-28.0","OTP-27.0","OTP-27.3.4.6","OTP-27.3.4.7","OTP-28.3.1","OTP-28.3","OTP-26.2.5.16","OTP-26.2.5.12","OTP-27.3","OTP-27.3.4.5","OTP-27.3.4.4","OTP-26.2.5.15","OTP-26.2.3","OTP-28.1","OTP-27.3.4.3","OTP-27.3.3","OTP-26.2.5.14","OTP-27.3.4.2","OTP-26.0","OTP-26.2.5.13","OTP-25.0","OTP-27.3.4.1","OTP-28.0-rc4","OTP-26.2.5.11","OTP-27.3.2","OTP-28.0-rc3","OTP-26.2.5.10","OTP-27.2","OTP-28.0-rc2","OTP-27.3.1","OTP-28.0-rc1","OTP-26.2.5.8","OTP-26.2.5.7","OTP-26.2.5.6","OTP-27.1","OTP-26.2.5.5","OTP-26.2.5.4","OTP-26.2.5.3","OTP-26.2","OTP-26.2.5.2","OTP-26.2.5.1","OTP-26.2.4","OTP-27.0-rc3","OTP-27.0-rc2","OTP-27.0-rc1","OTP-24.0","OTP-26.1","OTP-26.0-rc3","OTP-26.0-rc2","OTP-26.0-rc1","OTP-23.0","OTP-21.0","OTP-25.0-rc3","OTP-25.0-rc2","OTP-25.0-rc1","OTP-22.0","OTP-24.0-rc3","OTP-24.0-rc2","OTP-24.0-rc1","OTP-23.0-rc3","OTP-23.0-rc2","OTP-23.0-rc1","OTP-20.0","OTP-22.0-rc3","OTP-22.0-rc2","OTP-22.0-rc1","OTP-19.0","OTP-21.0-rc2","OTP-18.0","OTP-21.0-rc1","OTP-17.0","OTP-20.0-rc2","OTP-20.0-rc1","OTP-19.0-rc2","OTP-19.0-rc1","OTP-18.0-rc1"],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2026-21620.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}],"credits":[{"name":"Luigino Camastra / Aisle Research","type":"FINDER"},{"name":"Jakub Witczak","type":"REMEDIATION_REVIEWER"},{"name":"Raimo Niskanen","type":"REMEDIATION_DEVELOPER"}]}