Improper Message Integrity in Erlang/OTP ssl Module Affects Client Applications
CVE-2026-54891

6.3MEDIUM

Key Information:

Vendor

Erlang

Status
Vendor
CVE Published:
2 July 2026

What is CVE-2026-54891?

The vulnerability related to the Erlang/OTP ssl module permits a network-positioned attacker to inject unauthenticated plaintext into a TLS client during the handshake process. Although the tls_gen_connection function safeguards against APPLICATION_DATA records in pre-handshake states for server endpoints, it fails to enforce the same restrictions for client endpoints. Consequently, attackers can send unauthorized APPLICATION_DATA that is then presented to the application as if it were legitimate post-handshake data. Although the vulnerability primarily allows blind injection of bytes, its impact varies depending on the version of TLS being utilized.

Affected Version(s)

OTP 5.3.4

OTP 17.0

OTP 84adefa331c4159d432d22840663c38f155cd4c1 < 07d2d0e93f6aaf7652a81e8df075fc1728da5e96

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lukas Backström
Ingela Anderton Andin
Dan Gudmundsson
Jakub Witczak
.