Vulnerability-Lookup

WID-SEC-W-2026-0998

Vulnerability from csaf_certbund - Published: 2026-04-07 22:00 - Updated: 2026-06-07 22:00

Summary

Erlang/OTP: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Erlang/OTP (Open Telecom Platform) ist eine Sammlung von Bibliotheken und Tools, die auf der Programmiersprache Erlang basieren und für den Aufbau skalierbarer, fehlertoleranter und verteilter Systeme entwickelt wurden.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Erlang/OTP ausnutzen, um Sicherheitsvorkehrungen zu umgehen und Daten zu manipulieren.

Betroffene Betriebssysteme: - Sonstiges - UNIX

CVE-2026-28808

Affected products

Known affected 9 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Open Source Erlang/OTP inets <9.3.2.4 Open Source / Erlang/OTP		inets <9.3.2.4
Open Source Erlang/OTP inets <9.6.2 Open Source / Erlang/OTP		inets <9.6.2
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source Erlang/OTP inets <9.1.0.6 Open Source / Erlang/OTP		inets <9.1.0.6
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Open Source Erlang/OTP <27.3.4.10 Open Source / Erlang/OTP		<27.3.4.10
Open Source Erlang/OTP <26.2.5.19 Open Source / Erlang/OTP		<26.2.5.19
Open Source Erlang/OTP <28.4.2 Open Source / Erlang/OTP		<28.4.2

CVE-2026-28810

Affected products

Known affected 9 products

Product	Identifier	Version
Open Source Erlang/OTP kernel <10.6.2 Open Source / Erlang/OTP		kernel <10.6.2
Open Source Erlang/OTP kernel <9.2.4.11 Open Source / Erlang/OTP		kernel <9.2.4.11
Open Source Erlang/OTP kernel <10.2.7.4 Open Source / Erlang/OTP		kernel <10.2.7.4
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Open Source Erlang/OTP <27.3.4.10 Open Source / Erlang/OTP		<27.3.4.10
Open Source Erlang/OTP <26.2.5.19 Open Source / Erlang/OTP		<26.2.5.19
Open Source Erlang/OTP <28.4.2 Open Source / Erlang/OTP		<28.4.2

CVE-2026-32144

Affected products

Known affected 9 products

Product	Identifier	Version
Open Source Erlang/OTP public key <1.17.1.2 Open Source / Erlang/OTP		public key <1.17.1.2
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Open Source Erlang/OTP <27.3.4.10 Open Source / Erlang/OTP		<27.3.4.10
Open Source Erlang/OTP ssl <11.5.4 Open Source / Erlang/OTP		ssl <11.5.4
Open Source Erlang/OTP public key <1.20.3 Open Source / Erlang/OTP		public key <1.20.3
Open Source Erlang/OTP <28.4.2 Open Source / Erlang/OTP		<28.4.2
Open Source Erlang/OTP ssl <11.2.12.7 Open Source / Erlang/OTP		ssl <11.2.12.7

References

14 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/erlang/otp/security/advisories…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2455909	external
https://github.com/erlang/otp/security/advisories…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2455868	external
https://github.com/erlang/otp/security/advisories…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2455896	external
https://msrc.microsoft.com/update-guide/	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.opensuse.org/archives/list/security…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Erlang/OTP (Open Telecom Platform) ist eine Sammlung von Bibliotheken und Tools, die auf der Programmiersprache Erlang basieren und f\u00fcr den Aufbau skalierbarer, fehlertoleranter und verteilter Systeme entwickelt wurden.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Erlang/OTP ausnutzen, um Sicherheitsvorkehrungen zu umgehen und Daten zu manipulieren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0998 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0998.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0998 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0998"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-3vhp-h532-mc3f vom 2026-04-07",
        "url": "https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker #2455909 vom 2026-04-07",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455909"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-v884-5jg5-whj8 vom 2026-04-07",
        "url": "https://github.com/erlang/otp/security/advisories/GHSA-v884-5jg5-whj8"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker #2455868 vom 2026-04-07",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455868"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-gxrm-pf64-99xm vom 2026-04-07",
        "url": "https://github.com/erlang/otp/security/advisories/GHSA-gxrm-pf64-99xm"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker #2455896 vom 2026-04-07",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455896"
      },
      {
        "category": "external",
        "summary": "Microsoft Security Update Guide vom 2026-04-14",
        "url": "https://msrc.microsoft.com/update-guide/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:20607-1 vom 2026-04-23",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4QAQ4TDFDQU63BXX7RVMTSP3PBTQAYFT/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21374-1 vom 2026-04-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025733.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1714-1 vom 2026-05-06",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/025889.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2010-1 vom 2026-05-19",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026143.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10947-1 vom 2026-06-07",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QK6K6BD7IHWDWZZAS5FMBXE23GAEMEA2/"
      }
    ],
    "source_lang": "en-US",
    "title": "Erlang/OTP: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-06-07T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-08T09:28:04.055+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-0998",
      "initial_release_date": "2026-04-07T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-04-07T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-04-14T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2026-04-22T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-04-28T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-05-06T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-05-19T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-06-07T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von openSUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "7"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "azl3",
                "product": {
                  "name": "Microsoft Azure Linux azl3",
                  "product_id": "T049210",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:microsoft:azure_linux:azl3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c28.4.2",
                "product": {
                  "name": "Open Source Erlang/OTP \u003c28.4.2",
                  "product_id": "T052486"
                }
              },
              {
                "category": "product_version",
                "name": "28.4.2",
                "product": {
                  "name": "Open Source Erlang/OTP 28.4.2",
                  "product_id": "T052486-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:erlang:erlang%2fotp:28.4.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c27.3.4.10",
                "product": {
                  "name": "Open Source Erlang/OTP \u003c27.3.4.10",
                  "product_id": "T052487"
                }
              },
              {
                "category": "product_version",
                "name": "27.3.4.10",
                "product": {
                  "name": "Open Source Erlang/OTP 27.3.4.10",
                  "product_id": "T052487-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:erlang:erlang%2fotp:27.3.4.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c26.2.5.19",
                "product": {
                  "name": "Open Source Erlang/OTP \u003c26.2.5.19",
                  "product_id": "T052488"
                }
              },
              {
                "category": "product_version",
                "name": "26.2.5.19",
                "product": {
                  "name": "Open Source Erlang/OTP 26.2.5.19",
                  "product_id": "T052488-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:erlang:erlang%2fotp:26.2.5.19"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "inets \u003c9.1.0.6",
                "product": {
                  "name": "Open Source Erlang/OTP inets \u003c9.1.0.6",
                  "product_id": "T052489"
                }
              },
              {
                "category": "product_version",
                "name": "inets 9.1.0.6",
                "product": {
                  "name": "Open Source Erlang/OTP inets 9.1.0.6",
                  "product_id": "T052489-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:erlang:erlang%2fotp:inets__9.1.0.6"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "inets \u003c9.3.2.4",
                "product": {
                  "name": "Open Source Erlang/OTP inets \u003c9.3.2.4",
                  "product_id": "T052490"
                }
              },
              {
                "category": "product_version",
                "name": "inets 9.3.2.4",
                "product": {
                  "name": "Open Source Erlang/OTP inets 9.3.2.4",
                  "product_id": "T052490-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:erlang:erlang%2fotp:inets__9.3.2.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "inets \u003c9.6.2",
                "product": {
                  "name": "Open Source Erlang/OTP inets \u003c9.6.2",
                  "product_id": "T052491"
                }
              },
              {
                "category": "product_version",
                "name": "inets 9.6.2",
                "product": {
                  "name": "Open Source Erlang/OTP inets 9.6.2",
                  "product_id": "T052491-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:erlang:erlang%2fotp:inets__9.6.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "kernel \u003c9.2.4.11",
                "product": {
                  "name": "Open Source Erlang/OTP kernel \u003c9.2.4.11",
                  "product_id": "T052492"
                }
              },
              {
                "category": "product_version",
                "name": "kernel 9.2.4.11",
                "product": {
                  "name": "Open Source Erlang/OTP kernel 9.2.4.11",
                  "product_id": "T052492-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:erlang:erlang%2fotp:kernel__9.2.4.11"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "kernel \u003c10.2.7.4",
                "product": {
                  "name": "Open Source Erlang/OTP kernel \u003c10.2.7.4",
                  "product_id": "T052493"
                }
              },
              {
                "category": "product_version",
                "name": "kernel 10.2.7.4",
                "product": {
                  "name": "Open Source Erlang/OTP kernel 10.2.7.4",
                  "product_id": "T052493-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:erlang:erlang%2fotp:kernel__10.2.7.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "kernel \u003c10.6.2",
                "product": {
                  "name": "Open Source Erlang/OTP kernel \u003c10.6.2",
                  "product_id": "T052494"
                }
              },
              {
                "category": "product_version",
                "name": "kernel 10.6.2",
                "product": {
                  "name": "Open Source Erlang/OTP kernel 10.6.2",
                  "product_id": "T052494-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:erlang:erlang%2fotp:kernel__10.6.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "public key \u003c1.17.1.2",
                "product": {
                  "name": "Open Source Erlang/OTP public key \u003c1.17.1.2",
                  "product_id": "T052495"
                }
              },
              {
                "category": "product_version",
                "name": "public key 1.17.1.2",
                "product": {
                  "name": "Open Source Erlang/OTP public key 1.17.1.2",
                  "product_id": "T052495-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:erlang:erlang%2fotp:public_key__1.17.1.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "public key \u003c1.20.3",
                "product": {
                  "name": "Open Source Erlang/OTP public key \u003c1.20.3",
                  "product_id": "T052496"
                }
              },
              {
                "category": "product_version",
                "name": "public key 1.20.3",
                "product": {
                  "name": "Open Source Erlang/OTP public key 1.20.3",
                  "product_id": "T052496-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:erlang:erlang%2fotp:public_key__1.20.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "ssl \u003c11.2.12.7",
                "product": {
                  "name": "Open Source Erlang/OTP ssl \u003c11.2.12.7",
                  "product_id": "T052497"
                }
              },
              {
                "category": "product_version",
                "name": "ssl 11.2.12.7",
                "product": {
                  "name": "Open Source Erlang/OTP ssl 11.2.12.7",
                  "product_id": "T052497-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:erlang:erlang%2fotp:ssl__11.2.12.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "ssl \u003c11.5.4",
                "product": {
                  "name": "Open Source Erlang/OTP ssl \u003c11.5.4",
                  "product_id": "T052498"
                }
              },
              {
                "category": "product_version",
                "name": "ssl 11.5.4",
                "product": {
                  "name": "Open Source Erlang/OTP ssl 11.5.4",
                  "product_id": "T052498-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:erlang:erlang%2fotp:ssl__11.5.4"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Erlang/OTP"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-28808",
      "product_status": {
        "known_affected": [
          "T002207",
          "T052490",
          "T052491",
          "T027843",
          "T052489",
          "T049210",
          "T052487",
          "T052488",
          "T052486"
        ]
      },
      "release_date": "2026-04-07T22:00:00.000+00:00",
      "title": "CVE-2026-28808"
    },
    {
      "cve": "CVE-2026-28810",
      "product_status": {
        "known_affected": [
          "T052494",
          "T052492",
          "T052493",
          "T002207",
          "T027843",
          "T049210",
          "T052487",
          "T052488",
          "T052486"
        ]
      },
      "release_date": "2026-04-07T22:00:00.000+00:00",
      "title": "CVE-2026-28810"
    },
    {
      "cve": "CVE-2026-32144",
      "product_status": {
        "known_affected": [
          "T052495",
          "T002207",
          "T027843",
          "T049210",
          "T052487",
          "T052498",
          "T052496",
          "T052486",
          "T052497"
        ]
      },
      "release_date": "2026-04-07T22:00:00.000+00:00",
      "title": "CVE-2026-32144"
    }
  ]
}

CVE-2026-28808 (GCVE-0-2026-28808)

Vulnerability from cvelistv5 – Published: 2026-04-07 12:28 – Updated: 2026-05-27 15:40

Title

ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)

Summary

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.

Severity

8.3 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-863 - Incorrect Authorization

Assigner

EEF

References

6 references

URL	Tags
https://github.com/erlang/otp/security/advisories…	vendor-advisoryrelated
https://cna.erlef.org/cves/CVE-2026-28808.html	related
https://osv.dev/vulnerability/EEF-CVE-2026-28808	related
https://www.erlang.org/doc/system/versions.html#o…	x_version-scheme
https://github.com/erlang/otp/commit/8fc71ac6af4f…	patch
https://github.com/erlang/otp/commit/9dfa0c51eac9…	patch

Impacted products

2 products

Vendor	Product	Version
Erlang	OTP	Affected: 5.10 , < * (otp) cpe:2.3:a:erlang:erlang\/otp::::::::
Erlang	OTP	Affected: 17.0 , < * (otp) Affected: 07b8f441ca711f9812fad9e9115bab3c3aa92f79 , < * (git) cpe:2.3:a:erlang:erlang\/otp::::::::

Credits

Igor Morgenstern / Aisle Research Konrad Pietrzak

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28808",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T13:14:10.515632Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T13:14:16.481Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "affected",
          "modules": [
            "inets"
          ],
          "packageName": "inets",
          "packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/http_server/mod_alias.erl",
            "src/http_server/mod_auth.erl",
            "src/http_server/mod_cgi.erl"
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "9.6.2",
                  "status": "unaffected"
                },
                {
                  "at": "9.3.2.4",
                  "status": "unaffected"
                },
                {
                  "at": "9.1.0.6",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "5.10",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "affected",
          "modules": [
            "inets"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/inets/src/http_server/mod_alias.erl",
            "lib/inets/src/http_server/mod_auth.erl",
            "lib/inets/src/http_server/mod_cgi.erl"
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "28.4.2",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.10",
                  "status": "unaffected"
                },
                {
                  "at": "26.2.5.19",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "17.0",
              "versionType": "otp"
            },
            {
              "changes": [
                {
                  "at": "8fc71ac6af4fbcc54103bec2983ef22e82942688",
                  "status": "unaffected"
                },
                {
                  "at": "9dfa0c51eac97866078e808dec2183cb7871ff7c",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The inets httpd server must use \u003ctt\u003escript_alias\u003c/tt\u003e to map a URL prefix to a CGI directory, combined with \u003ctt\u003edirectory\u003c/tt\u003e-based access controls (e.g., \u003ctt\u003emod_auth\u003c/tt\u003e) protecting the \u003ctt\u003escript_alias\u003c/tt\u003e target path. The vulnerability applies whenever the \u003ctt\u003escript_alias\u003c/tt\u003e target path differs from \u003ctt\u003eDocumentRoot\u003c/tt\u003e + URL prefix."
            }
          ],
          "value": "The inets httpd server must use script_alias to map a URL prefix to a CGI directory, combined with directory-based access controls (e.g., mod_auth) protecting the script_alias target path. The vulnerability applies whenever the script_alias target path differs from DocumentRoot + URL prefix."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "26.2.5.19",
                  "versionStartIncluding": "17.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.10",
                  "versionStartIncluding": "27.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.4.2",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Igor Morgenstern / Aisle Research"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Konrad Pietrzak"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by \u003ctt\u003edirectory\u003c/tt\u003e rules when served via \u003ctt\u003escript_alias\u003c/tt\u003e.\u003cp\u003eWhen \u003ctt\u003escript_alias\u003c/tt\u003e maps a URL prefix to a directory outside \u003ctt\u003eDocumentRoot\u003c/tt\u003e, \u003ctt\u003emod_auth\u003c/tt\u003e evaluates \u003ctt\u003edirectory\u003c/tt\u003e-based access controls against the \u003ctt\u003eDocumentRoot\u003c/tt\u003e-relative path while \u003ctt\u003emod_cgi\u003c/tt\u003e executes the script at the \u003ctt\u003eScriptAlias\u003c/tt\u003e-resolved path. This path mismatch allows unauthenticated access to CGI scripts that \u003ctt\u003edirectory\u003c/tt\u003e rules were meant to protect.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/http_server/mod_alias.erl\u003c/tt\u003e, \u003ctt\u003elib/inets/src/http_server/mod_auth.erl\u003c/tt\u003e, and \u003ctt\u003elib/inets/src/http_server/mod_cgi.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.\u003c/p\u003e"
            }
          ],
          "value": "Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.\n\nWhen script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.\n\nThis vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863 Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T15:40:51.025Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-28808.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-28808"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cul\u003e\u003cli\u003eMove CGI scripts inside \u003ctt\u003eDocumentRoot\u003c/tt\u003e and use \u003ctt\u003ealias\u003c/tt\u003e instead of \u003ctt\u003escript_alias\u003c/tt\u003e to ensure \u003ctt\u003emod_auth\u003c/tt\u003e resolves the correct path.\u003c/li\u003e\u003cli\u003eApply URL-based access controls at a reverse proxy layer to block unauthenticated access to the \u003ctt\u003escript_alias\u003c/tt\u003e URL prefix.\u003c/li\u003e\u003cli\u003eRemove \u003ctt\u003emod_cgi\u003c/tt\u003e from the httpd modules chain if CGI functionality is not required.\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "* Move CGI scripts inside DocumentRoot and use alias instead of script_alias to ensure mod_auth resolves the correct path.\n* Apply URL-based access controls at a reverse proxy layer to block unauthenticated access to the script_alias URL prefix.\n* Remove mod_cgi from the httpd modules chain if CGI functionality is not required."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-28808",
    "datePublished": "2026-04-07T12:28:16.056Z",
    "dateReserved": "2026-03-03T14:40:00.590Z",
    "dateUpdated": "2026-05-27T15:40:51.025Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28810 (GCVE-0-2026-28810)

Vulnerability from cvelistv5 – Published: 2026-04-07 07:50 – Updated: 2026-05-27 15:40

Title

Predictable DNS Transaction IDs Enable Cache Poisoning in Built-in Resolver

Summary

Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning. The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers. inet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible. This vulnerability is associated with program files lib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-340 - Generation of Predictable Numbers or Identifiers

Assigner

EEF

References

7 references

URL	Tags
https://github.com/erlang/otp/security/advisories…	vendor-advisoryrelated
https://cna.erlef.org/cves/CVE-2026-28810.html	related
https://osv.dev/vulnerability/EEF-CVE-2026-28810	related
https://www.erlang.org/doc/system/versions.html#o…	x_version-scheme
https://github.com/erlang/otp/commit/36f23c9d2cc5…	patch
https://github.com/erlang/otp/commit/dd15e8eb0354…	patch
https://github.com/erlang/otp/commit/b057a9d99501…	patch

Impacted products

2 products

Vendor	Product	Version
Erlang	OTP	Affected: 3.0 , < * (otp) cpe:2.3:a:erlang:erlang\/otp::::::::
Erlang	OTP	Affected: 17.0 , < * (otp) Affected: 07b8f441ca711f9812fad9e9115bab3c3aa92f79 , < * (git) cpe:2.3:a:erlang:erlang\/otp::::::::

Credits

Luigino Camastra / Aisle Research Raimo Niskanen

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28810",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T16:27:52.481723Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T16:28:02.947Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "inet_res",
            "inet_db"
          ],
          "packageName": "kernel",
          "packageURL": "pkg:otp/kernel?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/inet_db.erl",
            "src/inet_res.erl"
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "10.6.2",
                  "status": "unaffected"
                },
                {
                  "at": "10.2.7.4",
                  "status": "unaffected"
                },
                {
                  "at": "9.2.4.11",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "3.0",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "inet_res",
            "inet_db"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/kernel/src/inet_db.erl",
            "lib/kernel/src/inet_res.erl"
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "28.4.2",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.10",
                  "status": "unaffected"
                },
                {
                  "at": "26.2.5.19",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "17.0",
              "versionType": "otp"
            },
            {
              "changes": [
                {
                  "at": "36f23c9d2cc54afe83671dd7343596d7972839a5",
                  "status": "unaffected"
                },
                {
                  "at": "dd15e8eb03548c5e55e9915f0e91389ec6bad9fd",
                  "status": "unaffected"
                },
                {
                  "at": "b057a9d995017b1be50d6dc02edd52382f3231b8",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The application must use \u003ctt\u003einet_res\u003c/tt\u003e for DNS resolution, either by configuring the lookup method to include \u003ctt\u003edns\u003c/tt\u003e in the kernel inet configuration, or by calling \u003ctt\u003einet_res\u003c/tt\u003e functions directly. The default Erlang/OTP configuration uses native OS resolution and is not affected."
            }
          ],
          "value": "The application must use inet_res for DNS resolution, either by configuring the lookup method to include dns in the kernel inet configuration, or by calling inet_res functions directly. The default Erlang/OTP configuration uses native OS resolution and is not affected."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "26.2.5.19",
                  "versionStartIncluding": "17.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.10",
                  "versionStartIncluding": "27.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.4.2",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Luigino Camastra / Aisle Research"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Raimo Niskanen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning.\u003cp\u003eThe built-in DNS resolver (\u003ctt\u003einet_res\u003c/tt\u003e) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers.\u003c/p\u003e\u003cp\u003e\u003ctt\u003einet_res\u003c/tt\u003e is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/kernel/src/inet_db.erl\u003c/tt\u003e and \u003ctt\u003elib/kernel/src/inet_res.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11.\u003c/p\u003e"
            }
          ],
          "value": "Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning.\n\nThe built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers.\n\ninet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible.\n\nThis vulnerability is associated with program files lib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-142",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-142 DNS Cache Poisoning"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-340",
              "description": "CWE-340 Generation of Predictable Numbers or Identifiers",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T15:40:59.850Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-v884-5jg5-whj8"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-28810.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-28810"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/36f23c9d2cc54afe83671dd7343596d7972839a5"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/dd15e8eb03548c5e55e9915f0e91389ec6bad9fd"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/b057a9d995017b1be50d6dc02edd52382f3231b8"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Predictable DNS Transaction IDs Enable Cache Poisoning in Built-in Resolver",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Install the Erlang nodes in a trusted network shielded from DNS reply spoofing by firewalls, and configure the \u003ctt\u003einet_res\u003c/tt\u003e resolver to only talk to trusted recursive name servers within that network."
            }
          ],
          "value": "Install the Erlang nodes in a trusted network shielded from DNS reply spoofing by firewalls, and configure the inet_res resolver to only talk to trusted recursive name servers within that network."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-28810",
    "datePublished": "2026-04-07T07:50:11.072Z",
    "dateReserved": "2026-03-03T14:40:00.590Z",
    "dateUpdated": "2026-05-27T15:40:59.850Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32144 (GCVE-0-2026-32144)

Vulnerability from cvelistv5 – Published: 2026-04-07 12:28 – Updated: 2026-05-27 15:40

Title

OCSP designated-responder authorization bypass via missing signature verification

Summary

Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid. This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context. This vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3. This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7.

Severity

7.6 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-295 - Improper Certificate Validation

Assigner

EEF

References

6 references

URL	Tags
https://github.com/erlang/otp/security/advisories…	vendor-advisoryrelated
https://cna.erlef.org/cves/CVE-2026-32144.html	related
https://osv.dev/vulnerability/EEF-CVE-2026-32144	related
https://www.erlang.org/doc/system/versions.html#o…	x_version-scheme
https://github.com/erlang/otp/commit/ac7ff528be85…	patch
https://github.com/erlang/otp/commit/49033a6d93a5…	patch

Impacted products

3 products

Vendor	Product	Version
Erlang	OTP	Affected: 1.16 , < * (otp) cpe:2.3:a:erlang:erlang\/otp::::::::
Erlang	OTP	Affected: 11.2 , < * (otp) cpe:2.3:a:erlang:erlang\/otp::::::::
Erlang	OTP	Affected: 27.0 , < * (otp) Affected: 601a012837ea0a5c8095bf24223132824177124d , < * (git) cpe:2.3:a:erlang:erlang\/otp::::::::

Credits

Igor Morgenstern / Aisle Research Jakub Witczak Ingela Anderton Andin

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32144",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T13:15:14.355759Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T13:15:20.530Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "pubkey_ocsp"
          ],
          "packageName": "public_key",
          "packageURL": "pkg:otp/public_key?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/pubkey_ocsp.erl"
          ],
          "programRoutines": [
            {
              "name": "pubkey_ocsp:is_authorized_responder/3"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.20.3",
                  "status": "unaffected"
                },
                {
                  "at": "1.17.1.2",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "1.16",
              "versionType": "otp"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "ssl_stapling"
          ],
          "packageName": "ssl",
          "packageURL": "pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/ssl_stapling.erl"
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "11.5.4",
                  "status": "unaffected"
                },
                {
                  "at": "11.2.12.7",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "11.2",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "pubkey_ocsp"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/public_key/src/pubkey_ocsp.erl"
          ],
          "programRoutines": [
            {
              "name": "pubkey_ocsp:is_authorized_responder/3"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "28.4.2",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.10",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "27.0",
              "versionType": "otp"
            },
            {
              "changes": [
                {
                  "at": "ac7ff528be857c5d35eb29c7f24106e3a16d4891",
                  "status": "unaffected"
                },
                {
                  "at": "49033a6d93a5be0ee0dce04e1fb8b4ae7de1e0c0",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "601a012837ea0a5c8095bf24223132824177124d",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "SSL/TLS must be configured with OCSP stapling enabled (e.g., \u003ctt\u003e{stapling, staple}\u003c/tt\u003e), or the application must call \u003ctt\u003epublic_key:pkix_ocsp_validate/5\u003c/tt\u003e directly. OCSP stapling is disabled by default (\u003ctt\u003e{stapling, no_staple}\u003c/tt\u003e)."
            }
          ],
          "value": "SSL/TLS must be configured with OCSP stapling enabled (e.g., {stapling, staple}), or the application must call public_key:pkix_ocsp_validate/5 directly. OCSP stapling is disabled by default ({stapling, no_staple})."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.10",
                  "versionStartIncluding": "27.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.4.2",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Igor Morgenstern / Aisle Research"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jakub Witczak"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Ingela Anderton Andin"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification.\u003cp\u003eThe OCSP response validation in \u003ctt\u003epublic_key:pkix_ocsp_validate/5\u003c/tt\u003e does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate\u0027s issuer name matches the CA\u0027s subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid.\u003c/p\u003e\u003cp\u003eThis affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the \u003ctt\u003epublic_key:pkix_ocsp_validate/5\u003c/tt\u003e API directly are also affected, with impact depending on usage context.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/public_key/src/pubkey_ocsp.erl\u003c/tt\u003e and program routines \u003ctt\u003epubkey_ocsp:is_authorized_responder/3\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7.\u003c/p\u003e"
            }
          ],
          "value": "Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification.\n\nThe OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate\u0027s issuer name matches the CA\u0027s subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid.\n\nThis affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context.\n\nThis vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3.\n\nThis issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-459",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-459 Creating a Rogue Certification Authority Certificate"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295 Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T15:40:36.070Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-gxrm-pf64-99xm"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-32144.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-32144"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/ac7ff528be857c5d35eb29c7f24106e3a16d4891"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/49033a6d93a5be0ee0dce04e1fb8b4ae7de1e0c0"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "OCSP designated-responder authorization bypass via missing signature verification",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cb\u003eFor SSL users:\u003c/b\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDo not enable OCSP validation setting (current default is \u003ctt\u003e{stapling, no_staple}\u003c/tt\u003e)\u003c/li\u003e\u003cli\u003eUse CRL-based revocation checking by setting the \u003ctt\u003e{crl_check, true}\u003c/tt\u003e SSL option instead\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cb\u003eFor applications using \u003ctt\u003epublic_key:pkix_ocsp_validate/5\u003c/tt\u003e directly:\u003c/b\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePass \u003ctt\u003e{is_trusted_responder_fun, Fun}\u003c/tt\u003e option with a function that validates trusted responder certificates\u003c/li\u003e\u003cli\u003eRestrict OCSP responder access to trusted endpoints via network controls (only applicable if you control the OCSP infrastructure)\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "For SSL users:\n\n* Do not enable OCSP validation setting (current default is {stapling, no_staple})\n* Use CRL-based revocation checking by setting the {crl_check, true} SSL option instead\n\nFor applications using public_key:pkix_ocsp_validate/5 directly:\n\n* Pass {is_trusted_responder_fun, Fun} option with a function that validates trusted responder certificates\n* Restrict OCSP responder access to trusted endpoints via network controls (only applicable if you control the OCSP infrastructure)"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-32144",
    "datePublished": "2026-04-07T12:28:00.767Z",
    "dateReserved": "2026-03-10T22:37:29.212Z",
    "dateUpdated": "2026-05-27T15:40:36.070Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0998

CVE-2026-28808 (GCVE-0-2026-28808)

CVE-2026-28810 (GCVE-0-2026-28810)

CVE-2026-32144 (GCVE-0-2026-32144)

Tags

Sightings

Nomenclature