CVE-2026-42789
Analyzed Analyzed - Analysis Complete
Certificate Chain Forgery in Erlang OTP public_key

Publication date: 2026-05-27

Last updated on: 2026-06-05

Assigner: EEF

Description
Improper Following of a Certificate's Chain of Trust vulnerability in Erlang OTP public_key (pubkey_cert module) allows a non-CA certificate to be accepted as an intermediate issuer, enabling certificate chain forgery. In lib/public_key/src/pubkey_cert.erl, pubkey_cert:validate_extensions/7 contains two flaws that together allow a certificate with basicConstraints cA:false and no keyUsage extension to be used as an intermediate issuer in a chain passed to public_key:pkix_path_validation/3: the cA:false clause recurses into the remaining extensions without rejecting the certificate when it is in issuer position, and the keyUsage check only fires when the extension is present, so a certificate lacking keyUsage entirely bypasses the keyCertSign enforcement. Any party holding an end-entity certificate with basicConstraints cA:false and no keyUsage extension, issued by any CA in the victim's trust store, can use that certificate's private key to sign forged leaf certificates for arbitrary identities. public_key:pkix_path_validation/3 accepts the resulting chain, and by extension every TLS or mTLS endpoint built on the OTP ssl application that relies on the default verifier is affected, including server identity verification on the client side and client certificate verification on mTLS servers. This issue affects OTP from OTP 17.0 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 0.22 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-05
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42789
EUVD
EUVD-2026-32272
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
erlang erlang/otp From 27.0 (inc) to 27.3.4.12 (exc)
erlang erlang/otp From 28.0 (inc) to 28.5.0.1 (exc)
erlang erlang/otp From 29.0 (inc) to 29.0.1 (exc)
erlang erlang/otp From 17.0 (inc) to 26.2.5.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
CWE-296 The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Erlang OTP public_key module, specifically in the pubkey_cert:validate_extensions/7 function. It improperly allows a non-CA certificate (one with basicConstraints cA:false and no keyUsage extension) to be accepted as an intermediate issuer in a certificate chain. This flaw enables an attacker who holds an end-entity certificate issued by a trusted CA to use that certificate's private key to sign forged leaf certificates for arbitrary identities. The certificate chain validation function public_key:pkix_path_validation/3 accepts these forged chains, affecting TLS and mTLS endpoints that rely on the default verifier in the OTP ssl application.

The root cause is that the validation logic does not reject certificates with cA:false when they appear in issuer position, and it only checks the keyUsage extension if it is present, allowing certificates without keyUsage to bypass the keyCertSign enforcement.

Impact Analysis

This vulnerability can have serious security impacts. An attacker who possesses a valid end-entity certificate issued by a trusted CA can exploit this flaw to forge leaf certificates for arbitrary identities. This means they can impersonate any server or client identity in TLS or mTLS communications that rely on the vulnerable certificate validation.

As a result, the confidentiality and integrity of communications can be compromised, allowing man-in-the-middle attacks, unauthorized access, or data interception. The vulnerability affects server identity verification on clients and client certificate verification on servers using the OTP ssl application.

Detection Guidance

Detection of this vulnerability involves identifying if your system is using affected versions of Erlang OTP or the public_key module that improperly validate certificate chains.

Specifically, you should check if your system uses OTP versions from 17.0 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, or 29.0.1, or corresponding public_key versions before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.

To detect exploitation attempts or presence of forged certificates, you can monitor TLS or mTLS endpoints that rely on the OTP ssl application for certificate validation.

While no explicit commands are provided in the resources, a practical approach includes:

  • Checking the Erlang/OTP version installed on your system using commands like `erl -version` or inspecting your package manager.
  • Reviewing certificate chains used in your TLS/mTLS endpoints to identify any intermediate certificates with basicConstraints cA:false and missing keyUsage extensions.
  • Using custom verification functions (verify_fun) in ssl or public_key applications to enforce stricter certificate validation and log any violations.
Mitigation Strategies

Immediate mitigation steps include upgrading your Erlang OTP and public_key module to patched versions that fix this vulnerability.

Patched versions include OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 or later, and corresponding public_key versions 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1 or later.

If immediate upgrade is not possible, a workaround is to use the 'verify_fun' option in the ssl or public_key applications to enforce proper validation of the basicConstraints extension, ensuring that only certificates with cA:true are accepted as intermediate issuers.

This workaround prevents acceptance of non-CA certificates as intermediates and mitigates certificate chain forgery.

Compliance Impact

This vulnerability allows improper certificate validation, enabling attackers to forge leaf certificates for arbitrary identities by exploiting a flaw in the certificate chain validation process. Such a flaw can undermine the integrity and authenticity of TLS and mTLS communications that rely on the Erlang OTP ssl application.

Because the vulnerability can lead to unauthorized certificate issuance and potential man-in-the-middle attacks, it poses significant risks to the confidentiality and integrity of data transmitted over affected systems.

These risks can impact compliance with common security standards and regulations such as GDPR and HIPAA, which require strong protections for data confidentiality and integrity, especially for personal and sensitive information transmitted over networks.

Failure to properly validate certificates and prevent certificate forgery could result in unauthorized data access or interception, potentially leading to violations of these regulations' requirements for data protection and breach prevention.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42789. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart