Improper validation of certificate with host mismatch in otp - CVE-2026-42790
Published: July 2, 2026
otp
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass certificate hostname validation.
The vulnerability exists due to improper validation of certificate with host mismatch in public_key:pkix_verify_hostname/3 when processing TLS certificates that lack a Subject Alternative Name extension or contain no domain name in that extension. A remote attacker can present a specially crafted certificate during a man-in-the-middle position to bypass certificate hostname validation.
Exploitation requires the ability to intercept network traffic and, in the worst case, control a DNS-constrained sub-CA key.