Improper Enforcement of Message Integrity During Transmission in a Communication Channel in otp - CVE-2026-54891
Published: July 2, 2026
otp
Detailed vulnerability description
The vulnerability allows a remote attacker to inject plaintext data into a TLS client application.
The vulnerability exists due to improper enforcement of message integrity during transmission in the (d)tls client handshake handling when a man-in-the-middle interferes before the handshake completes. A remote attacker can inject plaintext data before handshake completion to inject plaintext data into a TLS client application.
The injected data may be delivered to the client application after a successful handshake. The injection window is smaller for TLS 1.3 than for earlier TLS versions.