CVE-2026-42791 PUBLISHED

OCSP responder certificate validity period not checked in public_key

Assigner: EEF
Reserved: 29.04.2026 Published: 27.05.2026 Updated: 27.05.2026

Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows forged OCSP responses signed with an expired responder certificate to be accepted as valid.

OCSP response verification in pubkey_ocsp:verify_response/5 and pubkey_ocsp:is_authorized_responder/3 in lib/public_key/src/pubkey_ocsp.erl does not check the validity period (notBefore/notAfter) of the OCSP responder certificate. An attacker who has obtained the private key of an expired CA-designated OCSP responder certificate can forge OCSP responses that Erlang/OTP accepts as valid.

This affects TLS clients using OCSP stapling via the ssl application: a malicious or compromised server can present a revoked TLS certificate together with a forged OCSP response signed by an expired responder key, and the client will accept the revoked certificate as valid. It also affects applications calling public_key:pkix_ocsp_validate/5 directly, where the impact depends on the use case — server-side client certificate validation using this API may allow authentication bypass with a revoked client certificate.

This issue affects OTP from OTP 27.0 before OTP 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.16 before 1.17.1.3, 1.20.3.1, and 1.21.1.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
CVSS Score: 6.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	Low
Attack Complexity	High	Integrity	Low	Integrity	Low
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Erlang
Product	OTP
Versions	Default: unknown affected from 1.16 to * (excl.)

Vendor	Erlang
Product	OTP
Versions	Default: unknown affected from 27.0 to * (excl.) affected from 2b1a742c651b90f8a7a1fb2ddde73f29915ea376 to * (excl.)

Affected Configurations

For the ssl application, OCSP stapling must be enabled by setting the stapling option to staple in the TLS client options. OCSP stapling is not enabled by default.

Applications calling public_key:pkix_ocsp_validate/5 directly are unconditionally affected when that function is used.

Workarounds

For TLS clients using the ssl application, disable OCSP stapling by setting {stapling, no_staple} in the client options, or switch to CRL-based revocation checking with {crl_check, true}.
For applications calling public_key:pkix_ocsp_validate/5 directly, validate the responder certificate's validity period in application code before calling the function.

Credits

Jakub Witczak remediation developer
Ingela Andin remediation reviewer

References

Problem Types

CWE-295 Improper Certificate Validation CWE
CWE-672 Operation on a Resource after Expiration or Release CWE

Impacts

CAPEC-475 Signature Spoofing by Improper Validation