Description
Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist.

The inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3.

This vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl.

This issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.
Published: 2026-06-10
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The inet_tls_dist:check_ip/1 function improperly uses inet:sockname/1 instead of inet:peername/1 to obtain the connecting node's IP address. Since sockname returns the local socket address, the LAN allowlist comparison always succeeds, allowing any party that presents a CA‑signed TLS certificate to bypass the distribution‑over‑TLS LAN restriction. As a result, an attacker gains full distribution access to the node, including the ability to invoke rpc:call/4 and load code via code:load_binary/3, effectively achieving remote code execution.

Affected Systems

This vulnerability impacts Erlang/OTP releases 26.0 through 29.0.2 (before 29.0.2), 27.3.4.13 (before 27.3.4.13), and 28.5.0.2 (before 28.5.0.2). Corresponding SSL module versions affected are 11.0 through 11.7.2 (before 11.7.2), 11.2.12.9 (before 11.2.12.9), and 11.6.0.2 (before 11.6.0.2). All installations of Erlang/OTP using these SSL versions are susceptible.

Risk and Exploitability

The CVSS score of 7.5 classifies the vulnerability as High severity, and the EPSS score is not available, indicating no official assessment of exploit probability at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw over the network by presenting a valid CA‑signed TLS certificate configured for Erlang distribution; no additional privileges are required. Given the broad availability of certificate authorities and the fact that the mistake allows automatic bypass of the LAN allowlist, the potential impact is significant. Organizations should consider this a high‑risk issue pending patch deployment.

Generated by OpenCVE AI on June 10, 2026 at 17:23 UTC.

Remediation

Vendor Workaround

Implement a custom verify_fun SSL option that correctly checks the peer IP address using inet:peername/1 on the socket.

OpenCVE Recommended Actions

  • Upgrade Erlang/OTP to version 29.0.2 or later, or to 28.5.0.2 or later, or 27.3.4.13 or later to receive the corrected network logic.
  • Update the Erlang SSL library to version 11.7.2 or later, or to 11.6.0.2 or later, or 11.2.12.9 or later to include the fix for the check_ip function.
  • Configure the SSL layer with a custom verify_fun that uses inet:peername/1 to validate the connecting node's IP address, thereby enforcing the LAN allowlist even before the patch is applied.
  • If upgrade is not immediately feasible, deploy the custom verify_fun as a temporary mitigation while maintaining strict control over trusted client certificates.

Generated by OpenCVE AI on June 10, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist. The inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3. This vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl. This issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.
Title Distribution-over-TLS LAN allowlist silently bypassed due to sockname/peername confusion in inet_tls_dist
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-1025
CWE-863
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Erlang Erlang\/otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-10T16:23:31.951Z

Reserved: 2026-05-25T20:44:10.697Z

Link: CVE-2026-48860

cve-icon Vulnrichment

Updated: 2026-06-10T16:23:27.427Z

cve-icon NVD

Status : Received

Published: 2026-06-10T16:17:12.503

Modified: 2026-06-10T16:17:12.503

Link: CVE-2026-48860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T17:30:36Z

Weaknesses