Improper Certificate Validation in otp - CVE-2026-42789
Published: July 2, 2026
otp
Detailed vulnerability description
The vulnerability allows a remote user to spoof arbitrary certificate identities.
The vulnerability exists due to improper certificate validation in public_key:pkix_path_validation/3 when validating certificate chains. A remote user can use a non-CA end-entity certificate and its private key to forge leaf certificates for arbitrary identities to spoof arbitrary certificate identities.
Exploitation requires possession of an end-entity certificate issued by a CA in the victim's trust store where basicConstraints is set to cA:false and the keyUsage extension is absent.