Description
Improper Following of a Certificate's Chain of Trust vulnerability in Erlang OTP public_key (pubkey_cert module) allows a non-CA certificate to be accepted as an intermediate issuer, enabling certificate chain forgery.

In lib/public_key/src/pubkey_cert.erl, pubkey_cert:validate_extensions/7 contains two flaws that together allow a certificate with basicConstraints cA:false and no keyUsage extension to be used as an intermediate issuer in a chain passed to public_key:pkix_path_validation/3: the cA:false clause recurses into the remaining extensions without rejecting the certificate when it is in issuer position, and the keyUsage check only fires when the extension is present, so a certificate lacking keyUsage entirely bypasses the keyCertSign enforcement.

Any party holding an end-entity certificate with basicConstraints cA:false and no keyUsage extension, issued by any CA in the victim's trust store, can use that certificate's private key to sign forged leaf certificates for arbitrary identities. public_key:pkix_path_validation/3 accepts the resulting chain, and by extension every TLS or mTLS endpoint built on the OTP ssl application that relies on the default verifier is affected, including server identity verification on the client side and client certificate verification on mTLS servers.

This issue affects OTP from OTP 17.0 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 0.22 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.
Published: 2026-05-27
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper following of a certificate’s chain of trust in Erlang OTP’s public_key module; a non‑CA certificate that lacks a basicConstraints cA:true flag and keyUsage keyCertSign can be accepted as an intermediate issuer. This flaw lets an attacker, who possesses an end‑entity certificate issued by a trusted CA, use that certificate’s private key to forge arbitrary leaf certificates for any identity. The forged chain is then considered valid by public_key:pkix_path_validation/3, which underlies all TLS and mutual TLS endpoints built on the OTP ssl application. The impact is the ability to spoof identities and perform man‑in‑the‑middle or impersonation attacks, compromising integrity and confidentiality of communications.

Affected Systems

Erlang OTP versions 17.0 through 26.2.5.21, as well as 27.3.4.12, 28.5.0.1, and 29.0.1 are affected. Correspondingly, the public_key library from 0.22 to 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1 is vulnerable. All systems running these OTP releases and relying on the default path validation are impacted.

Risk and Exploitability

The CVSS score of 7 indicates a high severity vulnerability. While the EPSS score is not available, the absence of a KEV listing suggests no widely known public exploitation, yet the attack vector is clear: any compromised end‑entity key can generate forged certificates that the verifier will accept. The flaw requires only the possession of a private key and does not require elevated privileges or network access by the attacker beyond delivering the forged chain to a verifier. Consequently, the risk remains high for systems that have not applied an official patch or mitigated the validation logic.

Generated by OpenCVE AI on May 27, 2026 at 16:18 UTC.

Remediation

Vendor Workaround

The verify_fun option in the ssl or public_key application can be used to ensure that path validation rejects chains where an intermediate certificate does not have basicConstraints cA:true.

OpenCVE Recommended Actions

  • Upgrade Erlang OTP to 26.2.5.21 or later, including 27.3.4.12, 28.5.0.1, or 29.0.1, which contain the fixed public_key logic.
  • If an immediate upgrade is not possible, configure the ssl or public_key application’s verify_fun option so that any chain with an intermediate certificate lacking basicConstraints cA:true is rejected during path validation.
  • Rebuild any applications that bundle the vulnerable OTP libraries against the updated OTP distribution to ensure they load the patched public_key module.

Generated by OpenCVE AI on May 27, 2026 at 16:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description Improper Following of a Certificate's Chain of Trust vulnerability in Erlang OTP public_key (pubkey_cert module) allows a non-CA certificate to be accepted as an intermediate issuer, enabling certificate chain forgery. In lib/public_key/src/pubkey_cert.erl, pubkey_cert:validate_extensions/7 contains two flaws that together allow a certificate with basicConstraints cA:false and no keyUsage extension to be used as an intermediate issuer in a chain passed to public_key:pkix_path_validation/3: the cA:false clause recurses into the remaining extensions without rejecting the certificate when it is in issuer position, and the keyUsage check only fires when the extension is present, so a certificate lacking keyUsage entirely bypasses the keyCertSign enforcement. Any party holding an end-entity certificate with basicConstraints cA:false and no keyUsage extension, issued by any CA in the victim's trust store, can use that certificate's private key to sign forged leaf certificates for arbitrary identities. public_key:pkix_path_validation/3 accepts the resulting chain, and by extension every TLS or mTLS endpoint built on the OTP ssl application that relies on the default verifier is affected, including server identity verification on the client side and client certificate verification on mTLS servers. This issue affects OTP from OTP 17.0 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 0.22 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.
Title Non-CA certificate accepted as intermediate issuer in public_key path validation
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-295
CWE-296
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Erlang Erlang\/otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-27T15:46:57.832Z

Reserved: 2026-04-29T18:06:33.251Z

Link: CVE-2026-42789

cve-icon Vulnrichment

Updated: 2026-05-27T15:43:29.627Z

cve-icon NVD

Status : Received

Published: 2026-05-27T14:16:53.267

Modified: 2026-05-27T14:16:53.267

Link: CVE-2026-42789

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T16:30:36Z

Weaknesses