CVE-2026-21620 – This CVE describes a relative path traversal vu... (How to Fix)

Q: What is the severity of CVE-2026-21620?

CVE-2026-21620 has a CVSS score of N/A (Unknown). This CVE describes a relative path traversal vulnerability in Erlang/OTP's TFTP file modules (tftp_file.erl). It allows attackers to access files outside the intended directory by manipulating file paths. This affects Erlang/OTP installations using TFTP functionality across multiple versions.

📋 TL;DR

This CVE describes a relative path traversal vulnerability in Erlang/OTP's TFTP file modules (tftp_file.erl). It allows attackers to access files outside the intended directory by manipulating file paths. This affects Erlang/OTP installations using TFTP functionality across multiple versions.

💻 Affected Systems

Products:

erlang/otp
erlang otp erlang/otp
erlang otp inets
erlang otp tftp

Versions: OTP from 17.0, from commit 07b8f441ca711f9812fad9e9115bab3c3aa92f79; OTP from 5.10 before 7.0; OTP from 1.0

Operating Systems: All platforms running Erlang/OTP

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using TFTP functionality from the tftp_file modules. The vulnerability is in lib/tftp/src/tftp_file.erl and src/tftp_file.Erl files.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files, potentially exposing credentials, configuration data, or other confidential information, leading to further system compromise.

🟠

Likely Case

Unauthorized file access to files within the TFTP server's accessible directory structure, potentially exposing application data or configuration files.

🟢

If Mitigated

Limited impact if proper file system permissions restrict TFTP process access and the service runs with minimal privileges.

🌐 Internet-Facing: MEDIUM - TFTP services exposed to internet could be exploited by remote attackers, but TFTP is less commonly internet-facing than other protocols.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this to access files on TFTP servers within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Path traversal vulnerabilities typically have low exploitation complexity. The advisory references suggest this is a directory traversal issue that could be exploited via crafted TFTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commits: 3970738f687325138eb75f798054fa8960ac354e, 655fb95725ba2fb811740b57e106873833824344, 696fdec922661d4a3cc528fc34bc24fae8d4ad8a

Vendor Advisory: https://github.com/erlang/otp/security/advisories/GHSA-hmrc-prh3-rpvp

Restart Required: Yes

Instructions:

1. Update Erlang/OTP to a version containing the fix commits. 2. Apply patches from the GitHub advisory. 3. Restart any services using Erlang/OTP TFTP functionality.

🔧 Temporary Workarounds

Disable TFTP Service

all

If TFTP functionality is not required, disable the TFTP service to eliminate the attack surface.

# Stop TFTP service if running as standalone
# Check your Erlang application configuration to disable TFTP modules

Restrict TFTP Directory Access

linux

Configure TFTP to run in a chroot jail or with strict directory permissions to limit file access.

# Configure TFTP to use a restricted directory
# Set appropriate file system permissions on TFTP directories

🧯 If You Can't Patch

Implement network segmentation to isolate TFTP servers from sensitive systems
Deploy web application firewall (WAF) or network filtering to block path traversal patterns in TFTP traffic

🔍 How to Verify

Check if Vulnerable:

Check if your Erlang/OTP installation includes the vulnerable tftp_file modules and is within the affected version ranges. Review TFTP service configuration.

Check Version:

erl -eval 'erlang:display(erlang:system_info(otp_release)), halt().'

Verify Fix Applied:

Verify that the fix commits are present in your Erlang/OTP installation and test TFTP functionality with path traversal attempts.

📡 Detection & Monitoring

Log Indicators:

Unusual TFTP file access patterns
Failed file access attempts with path traversal characters (../)
TFTP requests for files outside expected directories

Network Indicators:

TFTP traffic containing path traversal sequences
TFTP requests to unexpected file paths

SIEM Query:

source="tftp.log" AND ("..\/" OR "../" OR "%2e%2e%2f")

📊 Metadata

CVE ID: CVE-2026-21620

CVSS v3 Score: N/A (Unknown)

CWE: CWE-23

Published: February 20, 2026

Last Updated: February 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21620, you might also want to check these: