CVE-2026-42791

May 27, 2026, 7:38 p.m.

6.3
Medium

Description

Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows forged OCSP responses signed with an expired responder certificate to be accepted as valid. OCSP response verification in pubkey_ocsp:verify_response/5 and pubkey_ocsp:is_authorized_responder/3 in lib/public_key/src/pubkey_ocsp.erl does not check the validity period (notBefore/notAfter) of the OCSP responder certificate. An attacker who has obtained the private key of an expired CA-designated OCSP responder certificate can forge OCSP responses that Erlang/OTP accepts as valid. This affects TLS clients using OCSP stapling via the ssl application: a malicious or compromised server can present a revoked TLS certificate together with a forged OCSP response signed by an expired responder key, and the client will accept the revoked certificate as valid. It also affects applications calling public_key:pkix_ocsp_validate/5 directly, where the impact depends on the use case — server-side client certificate validation using this API may allow authentication bypass with a revoked client certificate. This issue affects OTP from OTP 27.0 before OTP 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.16 before 1.17.1.3, 1.20.3.1, and 1.21.1.

Product(s) Impacted

Vendor Product Versions
Erlang
  • Otp
  • Public Key
  • 27.0-27.3.4.12
  • 1.16-1.17.1.3, 1.20.3.1, 1.21.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-295
Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a erlang otp 27.0-27.3.4.12 / / / / / / /
a erlang public_key 1.16-1.17.1.3 / / / / / / /
a erlang public_key 1.20.3.1 / / / / / / /
a erlang public_key 1.21.1 / / / / / / /

References

https://cna.erlef.org/cves/CVE-2026-42791.html
https://github.com/erlang/otp/commit/7995f1fdaee3da569bb810358ce0f546471d169b
https://github.com/erlang/otp/commit/b3870e02405c709a872b01ba6086065620cdfe76
https://github.com/erlang/otp/security/advisories/GHSA-cjxj-wj6x-3fff
https://osv.dev/vulnerability/EEF-CVE-2026-42791
https://www.erlang.org/doc/system/versions.html#order-of-versions

Tags

CWE-295
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
2026-05-27
CVE-2026-42791

CVSS Score

6.3 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Attack Requirements: PRESENT
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: May 27, 2026, 2:16 p.m.
Last Modified: May 27, 2026, 7:38 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

6b3ad84c-e1a6-4bf7-a703-f496b71e49db

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.