Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-1py9-5tap-d7fv
Vulnerability ID VCID-1py9-5tap-d7fv
Aliases CVE-2026-42789
Summary Improper Following of a Certificate's Chain of Trust vulnerability in Erlang OTP public_key (pubkey_cert module) allows a non-CA certificate to be accepted as an intermediate issuer, enabling certificate chain forgery. In lib/public_key/src/pubkey_cert.erl, pubkey_cert:validate_extensions/7 contains two flaws that together allow a certificate with basicConstraints cA:false and no keyUsage extension to be used as an intermediate issuer in a chain passed to public_key:pkix_path_validation/3: the cA:false clause recurses into the remaining extensions without rejecting the certificate when it is in issuer position, and the keyUsage check only fires when the extension is present, so a certificate lacking keyUsage entirely bypasses the keyCertSign enforcement. Any party holding an end-entity certificate with basicConstraints cA:false and no keyUsage extension, issued by any CA in the victim's trust store, can use that certificate's private key to sign forged leaf certificates for arbitrary identities. public_key:pkix_path_validation/3 accepts the resulting chain, and by extension every TLS or mTLS endpoint built on the OTP ssl application that relies on the default verifier is affected, including server identity verification on the client side and client certificate verification on mTLS servers. This issue affects OTP from OTP 17.0 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 0.22 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-295 Improper Certificate Validation
CWE-296 Improper Following of a Certificate's Chain of Trust
System Score Found at
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2026-42789
cvssv4 7 https://cna.erlef.org/cves/CVE-2026-42789.html
ssvc Track https://cna.erlef.org/cves/CVE-2026-42789.html
cvssv3.1 7.4 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv4 7 https://github.com/erlang/otp/commit/471cd2f664300a95353c467873800bbe706005db
ssvc Track https://github.com/erlang/otp/commit/471cd2f664300a95353c467873800bbe706005db
cvssv4 7 https://github.com/erlang/otp/commit/59c8d824386b2eb1614ff9340624843ef6aca0fd
ssvc Track https://github.com/erlang/otp/commit/59c8d824386b2eb1614ff9340624843ef6aca0fd
cvssv4 7 https://github.com/erlang/otp/security/advisories/GHSA-c99q-jmpx-v8qq
ssvc Track https://github.com/erlang/otp/security/advisories/GHSA-c99q-jmpx-v8qq
cvssv4 7 https://osv.dev/vulnerability/EEF-CVE-2026-42789
ssvc Track https://osv.dev/vulnerability/EEF-CVE-2026-42789
cvssv4 7 https://www.erlang.org/doc/system/versions.html#order-of-versions
ssvc Track https://www.erlang.org/doc/system/versions.html#order-of-versions
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-42789
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42789
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
471cd2f664300a95353c467873800bbe706005db https://github.com/erlang/otp/commit/471cd2f664300a95353c467873800bbe706005db
59c8d824386b2eb1614ff9340624843ef6aca0fd https://github.com/erlang/otp/commit/59c8d824386b2eb1614ff9340624843ef6aca0fd
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
CVE-2026-42789.html https://cna.erlef.org/cves/CVE-2026-42789.html
EEF-CVE-2026-42789 https://osv.dev/vulnerability/EEF-CVE-2026-42789
GHSA-c99q-jmpx-v8qq https://github.com/erlang/otp/security/advisories/GHSA-c99q-jmpx-v8qq
versions.html#order-of-versions https://www.erlang.org/doc/system/versions.html#order-of-versions
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N Found at https://cna.erlef.org/cves/CVE-2026-42789.html
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T15:41:47Z/ Found at https://cna.erlef.org/cves/CVE-2026-42789.html
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N Found at https://github.com/erlang/otp/commit/471cd2f664300a95353c467873800bbe706005db
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T15:41:47Z/ Found at https://github.com/erlang/otp/commit/471cd2f664300a95353c467873800bbe706005db
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N Found at https://github.com/erlang/otp/commit/59c8d824386b2eb1614ff9340624843ef6aca0fd
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T15:41:47Z/ Found at https://github.com/erlang/otp/commit/59c8d824386b2eb1614ff9340624843ef6aca0fd
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N Found at https://github.com/erlang/otp/security/advisories/GHSA-c99q-jmpx-v8qq
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T15:41:47Z/ Found at https://github.com/erlang/otp/security/advisories/GHSA-c99q-jmpx-v8qq
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N Found at https://osv.dev/vulnerability/EEF-CVE-2026-42789
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T15:41:47Z/ Found at https://osv.dev/vulnerability/EEF-CVE-2026-42789
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N Found at https://www.erlang.org/doc/system/versions.html#order-of-versions
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T15:41:47Z/ Found at https://www.erlang.org/doc/system/versions.html#order-of-versions
Exploit Prediction Scoring System (EPSS)
Percentile 0.08507
EPSS Score 0.00028
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T13:49:46.798734+00:00 Debian Oval Importer Import https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0