Improper Certificate Chain Handling in Erlang OTP's public_key Module
CVE-2026-42789

7HIGH

Key Information:

Vendor: Erlang
Status: Otp
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-42789?

The vulnerability affects Erlang OTP's public_key module, allowing non-CA certificates with basicConstraints set to cA:false and lacking the keyUsage extension to be wrongly accepted as intermediate issuers. This flaw permits the signing of forged leaf certificates for any identity, creating a risk for systems that depend on TLS or mTLS. Dependencies on the public_key:pkix_path_validation/3 function are particularly vulnerable, impacting server and client identity verifications across various endpoints. Versions prior to specified updates are at risk, making it crucial for users to implement available patches promptly.

Affected Version(s)

OTP 0.22

OTP 17.0

OTP 84adefa331c4159d432d22840663c38f155cd4c1

References

https://github.com/erlang/otp/security/advisories/GHSA-c9...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-42789.html

https://osv.dev/vulnerability/EEF-CVE-2026-42789

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

John Downey

Ingela Andin

Jakub Witczak

CVE-2026-42789 Data

JSON