Which versions of Erlang/OTP are affected by EUVD-2026-36057?

Erlang/OTP's TLS distribution module (inet_tls_dist) contains an authentication bypass vulnerability enabling remote code execution for attackers holding valid TLS certificates.. A patch is available.

How to fix or mitigate EUVD-2026-36057?

24 hours: Identify all Erlang/OTP deployments and document TLS certificate trust configurations. 7 days: Apply patch available per vendor advisory to all affected Erlang/OTP nodes. 30 days: Validate patch deployment across infrastructure, review and restrict unnecessary CAs in trust stores, and implement network-level access controls for Erlang distribution ports.

Erlang/OTP EUVD-2026-36057

Q: What is the CVSS score of EUVD-2026-36057?

EUVD-2026-36057 has a CVSS 4.0 base score of 7.5 (High). CVSS vector: CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

| CVE-2026-48860 HIGH

Comparison Using Wrong Factors (CWE-1025)

2026-06-10 EEF

Authentication Bypass

7.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

Jun 10, 2026 - 16:35 vuln.today

Analysis Generated

Jun 10, 2026 - 16:35 vuln.today

CVSS changed

Jun 10, 2026 - 16:22 NVD

7.5 (HIGH)

DescriptionNVD

Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist.

The inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3.

This vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl.

This issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.

AnalysisAI

Authentication bypass in Erlang/OTP's TLS distribution module (inet_tls_dist) lets any attacker holding a TLS certificate signed by a CA in the node's trust store gain full Erlang distribution access, including remote code execution via rpc:call/4 and code:load_binary/3. The flaw stems from check_ip/1 inspecting the local socket address (inet:sockname/1) instead of the peer's address (inet:peername/1), so the LAN-allowlist subnet comparison always matches. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Locate TLS distribution listener

Delivery

Obtain CA-trusted client certificate

Exploit

Open TLS connection to dist port

Install

Bypass check_ip via sockname bug

Issue rpc:call to load_binary

Execute

Execute arbitrary Erlang on node

Impact

Pivot across cluster peers