Improper Certificate Validation in Erlang OTP Affecting Public_key Module
CVE-2026-32144

7.6HIGH

Key Information:

Vendor: Erlang
Status: Otp
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-32144?

A vulnerability in the public_key module of Erlang OTP allows for OCSP designated-responder authorization bypass due to inadequate signature verification. The current check only compares the responder's issuer name with the CA's subject name and verifies that the certificate has the OCSPSigning extended key usage. This weakness enables attackers who can intercept OCSP responses to forge valid responses for revoked certificates using self-signed certificates, thereby compromising the integrity of SSL/TLS connections. Applications relying on the affected API could unintentionally accept connections to untrustworthy servers and expose sensitive data.

Affected Version(s)

OTP 1.16

OTP 11.2

OTP 27.0

References

https://github.com/erlang/otp/security/advisories/GHSA-gx...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-32144.html

https://osv.dev/vulnerability/EEF-CVE-2026-32144

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Mar 10, 2026

Credit

Igor Morgenstern / Aisle Research

Jakub Witczak

Ingela Anderton Andin

CVE-2026-32144 Data

JSON