Improper Certificate Validation in Erlang OTP's public_key Module
CVE-2026-42791

6.3MEDIUM

Key Information:

Vendor: Erlang
Status: Otp
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-42791?

In Erlang OTP, a vulnerability exists within the public_key module's OCSP functionality. It fails to validate the time constraints of OCSP responder certificates, allowing attackers to create forged OCSP responses using expired certificates. This could mislead TLS clients into accepting revoked certificates as valid when OCSP stapling is used, potentially compromising secure connections. Affected versions of OTP include 27.0 up to 27.3.4.12, along with subsequent versions in the 28.x and 29.x series. This issue flags a significant risk for authentication processes, particularly in server-side validations.

Affected Version(s)

OTP 1.16

OTP 27.0

OTP 2b1a742c651b90f8a7a1fb2ddde73f29915ea376

References

https://github.com/erlang/otp/security/advisories/GHSA-cj...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-42791.html

https://osv.dev/vulnerability/EEF-CVE-2026-42791

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

Jakub Witczak

Ingela Andin

CVE-2026-42791 Data

JSON