Description
Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist.

The inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3.

This vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl.

This issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.
Published: 2026-06-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The inet_tls_dist:check_ip/1 function improperly uses inet:sockname/1 instead of inet:peername/1 to obtain the connecting node’s IP address. Since sockname returns the local socket address, the LAN allowlist comparison always succeeds, allowing any party that presents a CA‑signed TLS certificate to bypass the distribution‑over‑TLS LAN restriction. As a result, an attacker gains full distribution access to the node, including the ability to invoke rpc:call/4 and load code via code:load_binary/3, effectively achieving remote code execution.

Affected Systems

This vulnerability impacts Erlang/OTP releases 26.0 through 29.0.2 (before 29.0.2), 27.3.4.13 (before 27.3.4.13), and 28.5.0.2 (before 28.5.0.2). Corresponding SSL module versions affected are 11.0 through 11.7.2 (before 11.7.2), 11.2.12.9 (before 11.2.12.9), and 11.6.0.2 (before 11.6.0.2). All installations of Erlang/OTP using these SSL versions are susceptible.

Risk and Exploitability

The CVSS score of 7.5 classifies the vulnerability as High severity, and the EPSS score of 0.00194 indicates a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw over the network by presenting a valid CA‑signed TLS certificate configured for Erlang distribution; no additional privileges are required. Given the broad availability of certificate authorities and the fact that the mistake allows automatic bypass of the LAN allowlist, the potential impact is significant. Organizations should consider this a high‑risk issue pending patch deployment.

Generated by OpenCVE AI on June 18, 2026 at 21:08 UTC.

Remediation

Vendor Workaround

Implement a custom verify_fun SSL option that correctly checks the peer IP address using inet:peername/1 on the socket.

OpenCVE Recommended Actions

  • Upgrade Erlang/OTP to version 29.0.2 or later, or to 28.5.0.2 or later, or 27.3.4.13 or later to receive the corrected network logic.
  • Update the Erlang SSL library to version 11.7.2 or later, or to 11.6.0.2 or later, or 11.2.12.9 or later to include the fix for the check_ip function.
  • Configure the SSL layer with a custom verify_fun that uses inet:peername/1 to validate the connecting node’s IP address, thereby enforcing the LAN allowlist even before the patch is applied.
  • If upgrade is not immediately feasible, deploy the custom verify_fun as a temporary mitigation while maintaining strict control over trusted client certificates.

Generated by OpenCVE AI on June 18, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-303
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 15 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Erlang erlang\/ssl
CPEs cpe:2.3:a:erlang:erlang\/ssl:*:*:*:*:*:*:*:*
Vendors & Products Erlang erlang\/ssl
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 10 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Erlang otp
Vendors & Products Erlang otp

Wed, 10 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist. The inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3. This vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl. This issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.
Title Distribution-over-TLS LAN allowlist silently bypassed due to sockname/peername confusion in inet_tls_dist
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-1025
CWE-863
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Erlang Erlang\/otp Erlang\/ssl Otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-11T04:45:42.753Z

Reserved: 2026-05-25T20:44:10.697Z

Link: CVE-2026-48860

cve-icon Vulnrichment

Updated: 2026-06-10T16:23:27.427Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T16:17:12.503

Modified: 2026-06-15T18:24:03.653

Link: CVE-2026-48860

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-10T14:35:49Z

Links: CVE-2026-48860 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:15:03Z

Weaknesses
  • CWE-1025

    Comparison Using Wrong Factors

  • CWE-303

    Incorrect Implementation of Authentication Algorithm

  • CWE-863

    Incorrect Authorization