Platform
other
Component
public_key
Fixed in
*
*
*
*
CVE-2026-32144 describes an Improper Certificate Validation vulnerability within the Erlang OTP publickey module (specifically, the pubkeyocsp_validate/5 function). This flaw allows an attacker to bypass OCSP (Online Certificate Status Protocol) authorization checks by exploiting a lack of signature verification on responder certificates. Versions 1.16.0 and later are affected, and a fix is expected to be released soon.
The core of this vulnerability lies in the failure to verify that OCSP responder certificates are cryptographically signed by the issuing Certificate Authority (CA). Instead, the validation process only checks issuer and subject name matching and the presence of the OCSPSigning extended key usage. An attacker can leverage this weakness to craft malicious, self-signed OCSP responses that appear valid to the Erlang OTP implementation. This enables a man-in-the-middle (MITM) attack where the attacker can intercept and manipulate TLS/SSL connections, potentially decrypting sensitive data or injecting malicious content. The blast radius extends to any application relying on Erlang OTP for certificate validation, particularly those handling sensitive data or performing critical operations. This is similar in concept to vulnerabilities where OCSP validation is bypassed, allowing for the acceptance of untrusted certificates.
CVE-2026-32144 was publicly disclosed on 2026-04-07. Its EPSS score is pending evaluation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature suggests a relatively low barrier to exploitation once a PoC is developed. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (14% percentile)
CISA SSVC
The primary mitigation is to upgrade to a patched version of Erlang OTP as soon as it becomes available. Until a patch is applied, consider implementing OCSP stapling on your servers. OCSP stapling allows the server to present a valid OCSP response directly to the client, eliminating the need for the client to contact the OCSP responder and reducing the attack surface. Additionally, review your application's certificate validation logic to ensure it is robust and doesn't solely rely on OCSP validation. Consider implementing additional validation checks, such as certificate revocation lists (CRLs), to provide a layered defense. Monitor system logs for unusual OCSP-related activity.
Update the public_key library to version 1.20.4 or higher, or the ssl library to version 11.5.5 or higher, or OTP to version 28.4.3 or higher to mitigate the vulnerability. The update corrects the missing signature verification in OCSP responses, preventing certificate forgery.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32144 is a vulnerability in Erlang OTP's public_key module that allows attackers to bypass OCSP authorization checks due to a missing signature verification step, potentially enabling MITM attacks.
If you are using Erlang OTP version 1.16.0 or later, you are potentially affected by this vulnerability. Assess your certificate validation practices and prioritize patching.
The recommended fix is to upgrade to a patched version of Erlang OTP as soon as it becomes available. Until then, consider OCSP stapling as a temporary workaround.
As of the current disclosure date, there are no confirmed reports of active exploitation. However, the vulnerability's nature suggests it could be exploited once a proof-of-concept is developed.
Refer to the official Erlang OTP project website and security mailing lists for updates and advisories regarding CVE-2026-32144.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.