Improper Certificate Validation in otp - CVE-2026-42791
Published: July 2, 2026
otp
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass certificate revocation checks.
The vulnerability exists due to improper certificate validation in public_key OCSP response verification when processing OCSP responses. A remote attacker can present a forged OCSP response signed with the private key of an expired or not-yet-valid OCSP responder certificate to bypass certificate revocation checks.
This can affect SSL/TLS clients using OCSP stapling and applications that call public_key:pkix_ocsp_validate/5 directly. Exploitation requires possession of the private key of a legitimately issued OCSP responder certificate outside its validity period and the ability to deliver the forged OCSP response to the victim.