Improper Certificate Validation in Erlang OTP Affects Security
CVE-2026-42790

7.6HIGH

Key Information:

Vendor: Erlang
Status: Otp
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-42790?

A vulnerability exists in Erlang OTP's public_key modules, allowing malicious entities to bypass DNS nameConstraints during TLS hostname verification. This flaw arises through two combined issues where validation routines inadequately check SAN DNS entries and fallback on the subject commonName in the absence of a subjectAltName. Consequently, a subordinate CA may issue a certificate recognized as valid by an OTP TLS client for a hostname beyond the predefined constraints, raising concerns regarding secure communications.

Affected Version(s)

OTP 1.4

OTP 19.3

OTP b0c245e8132bb13171e277b1af59c0cec00c9459

References

https://github.com/erlang/otp/security/advisories/GHSA-22...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-42790.html

https://osv.dev/vulnerability/EEF-CVE-2026-42790

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

John Downey

Ingela Anderton Andin

Dan Gudmundsson

Jakub Witczak

CVE-2026-42790 Data

JSON