CVE-2026-32144: OCSP designated-responder authorization bypass via missing signature verification

Published Apr 7, 2026
·
Updated

Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid. This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context. This vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3. This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7.

Affected Software

9 affected components
Erlang OTP>=27.0<=28.4.2, =27.3.4.10
Erlang public_key>=1.16<=1.20.3, =1.17.1.2
Erlang ssl>=11.2<=11.5.4, =11.2.12.7
Erlang Erlang\/otp>=27.0<27.3.4.10
Erlang Erlang\/otp>=28.0<28.4.2
Erlang Erlang\/public Key>=1.16<1.17.1.2
Erlang Erlang\/public Key>=1.18<1.20.3
Erlang Erlang\/ssl>=11.2<11.2.12.7
Erlang Erlang\/ssl>11.3<11.5.4

Remediation

Patch Available

https://github.com/erlang/otp/commit/49033a6d93a5be0ee0dce04e1fb8b4ae7de1e0c0

Patch Available

https://github.com/erlang/otp/commit/ac7ff528be857c5d35eb29c7f24106e3a16d4891

Event History

Apr 7, 2026
CVE Published
via MITRE·12:28 PM
Data Sourced
via MITRE·12:28 PM
DescriptionWeakness
Data Sourced
via NVD·01:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-32144?

CVE-2026-32144 has been classified with high severity due to its potential to bypass OCSP designated-responder authorization.

2

How do I fix CVE-2026-32144?

To mitigate CVE-2026-32144, update to Erlang OTP versions later than 28.4.2 or apply the necessary patches for affected versions.

3

What systems are affected by CVE-2026-32144?

CVE-2026-32144 affects Erlang OTP versions from 27.0 to 28.4.2, as well as specific versions of the Erlang public_key and ssl modules.

4

What is the impact of CVE-2026-32144?

The impact of CVE-2026-32144 includes potential unauthorized access as it allows for bypassing OCSP validation due to missing signature verification.

5

Is CVE-2026-32144 being actively exploited?

There is currently no public information indicating that CVE-2026-32144 is being actively exploited in the wild.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203