CVE-2026-48860

Name of the Vulnerable Software and Affected Versions Erlang/OTP versions 26.0 through 29.0.1 Erlang/OTP version 28.5.0.1 and earlier Erlang/OTP version 27.3.4.12 and earlier ssl versions 11.0 through 11.7.1 ssl version 11.6.0.1 and earlier ssl version 11.2.12.8 and earlier

Description An issue in the inet tls dist module allows an unauthenticated bypass of the LAN allowlist for Erlang distribution over TLS. The check ip() function incorrectly calls sockname() instead of peername() to retrieve the peer's IP address. Since sockname() returns the local socket address, the subnet mask comparison always succeeds regardless of the actual remote address. Consequently, any holder of a CA-signed TLS certificate can bypass LAN restrictions and gain full distribution access to the node, including the ability to use rpc:call() and code:load binary() functions.

Recommendations Update Erlang/OTP to version 29.0.2, 28.5.0.2, or 27.3.4.13. Update ssl to version 11.7.2, 11.6.0.2, or 11.2.12.9. Implement a custom verify fun SSL option that correctly checks the peer IP address using peername() on the socket.