CVE-2026-48860: Erlang/OTP SSL inet_tls_dist IP Spoofing Allows Cluster Bypass
A flaw in Erlang/OTP's TLS-based distribution module allows an attacker with a valid certificate to bypass IP-address-based access controls on Erlang cluster nodes. The vulnerability stems from a logic error where the code checks the local socket address instead of the remote peer's address when validating whether a connecting node is on the allowed subnet. An attacker holding any CA-signed TLS certificate can exploit this to gain unauthorized access to Erlang RPC and code-loading functions on affected nodes.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-1025, CWE-863
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist. The inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3. This vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl. This issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The inet_tls_dist:check_ip/1 function in Erlang/OTP's ssl module contains a critical logic flaw in subnet allowlist enforcement. The function invokes inet:sockname/1 to retrieve IP address information for comparison against a LAN subnet mask. However, inet:sockname/1 returns the local socket's bound address, not the remote peer's address—a role fulfilled by inet:peername/1. Because both addresses resolve to the same local IP, the subnet mask comparison invariably succeeds, rendering the allowlist ineffective. An attacker with a certificate signed by a trusted CA can bypass network segmentation and execute arbitrary code via code:load_binary/3 or invoke remote procedures via rpc:call/4.
Business impact
Organizations running multi-node Erlang/OTP clusters with TLS-enabled distribution and relying on LAN-based network segmentation face direct bypass risk. A compromised or malicious certificate holder—whether internal or external—can laterally move within the cluster, execute arbitrary Erlang code on remote nodes, and potentially exfiltrate sensitive data processed by the cluster. The attack requires only a valid certificate and network access to any TLS port, eliminating the intended network isolation boundary.
Affected systems
Erlang/OTP versions 26.0 through 29.0.1, 28.0.0 through 28.4.x, and 27.0.0 through 27.3.4.12 are vulnerable. The ssl module versions affected include 11.0 through 11.7.1, 11.6.0.0 through 11.6.0.1, and 11.2.12.0 through 11.2.12.8. Any deployment using inet_tls_dist for cluster node communication with IP-based allowlisting is at risk, particularly in cloud and multi-tenant environments where tenants or lateral attackers may hold valid certificates.
Exploitability
Exploitation requires two prerequisites: a CA-signed TLS certificate and network access to the Erlang distribution port (typically 9999 or configured otherwise). The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reflects network-based attack capability with low complexity and authentication via certificate possession. No user interaction is needed. The vulnerability is straightforward to exploit once access and a certificate are obtained; no special techniques or timing are required.
Remediation
Upgrade to patched versions: OTP 29.0.2 or later, OTP 28.5.0.2, or OTP 27.3.4.13. Corresponding ssl module versions are 11.7.2 or later, 11.6.0.2, or 11.2.12.9, respectively. Organizations unable to patch immediately should implement additional network controls: restrict outbound connectivity to Erlang distribution ports at the firewall level, segregate cluster nodes behind a VPN or private network boundary, and audit certificate issuance and revocation policies to limit the number of valid certificates in circulation.
Patch guidance
Contact your Erlang/OTP distributor or visit erlang.org for official patch releases. Verify the ssl module version in your deployment using erl -eval 'application:get_key(ssl, vsn), halt()' and cross-reference against the advisory. Test patches in a non-production environment before deployment to ensure compatibility with custom TLS configurations. Document any load-balancer or reverse-proxy configurations that interact with TLS distribution, as patching may require coordination with infrastructure changes.
Detection guidance
Monitor Erlang node logs for unexpected distribution connections, particularly from IP addresses outside the intended LAN range. Inspect TLS certificate usage and enrollment logs for certificates presented to distribution ports. Implement network-level intrusion detection to flag connections to distribution ports from untrusted CIDR blocks. Use Erlang's distribution tracing (if available in your version) to log peer connection attempts and compare the logged peer address against the allowlist rules to identify bypass attempts.
Why prioritize this
Although the CVSS score is 6.5 (Medium), the practical severity is elevated for Erlang-dependent workloads. The vulnerability directly undermines a fundamental trust boundary (network isolation) and enables code execution, which threatens confidentiality and system integrity. Organizations operating multi-node Erlang clusters for critical services (messaging, real-time systems, telecom) should prioritize patching. Conversely, single-node deployments or those using only local distribution (without TLS) face lower risk.
Risk score, explained
The CVSS 6.5 Medium rating reflects high confidentiality impact (H) and low attack complexity (L) but assumes the attacker already holds a valid TLS certificate. In threat models where certificate compromise is plausible (insider threats, supply chain attacks, misconfigured certificate issuance), the effective risk is substantially higher. The score does not account for code execution through rpc:call/4 or code:load_binary/3, which could lead to integrity violation; thus, organizations should supplement CVSS with context-specific risk analysis.
Frequently asked questions
Can we mitigate this without patching if we use network segmentation?
Partially. A VPN or private network that restricts TLS traffic to trusted sources reduces the attack surface, but does not eliminate it if an insider or lateral adversary holds a valid certificate. Patching remains the definitive fix. In the interim, firewall rules limiting distribution port access and certificate revocation for unused credentials provide defense-in-depth.
Does this vulnerability affect single-node Erlang deployments?
No. The vulnerability requires TLS-enabled distribution and an inet_tls_dist-based allowlist. Single-node systems or those using the default distribution module without TLS are unaffected.
What is the difference between the three patched versions, and which should we deploy?
OTP 29.0.2+ is the latest stable release and recommended for new deployments. OTP 28.5.0.2 and 27.3.4.13 are backport patches for earlier major versions. Choose based on your version's support status and compatibility testing; do not skip major version upgrades without testing in a staging environment.
How can we audit whether our cluster is using the vulnerable code path?
Check your node's startup configuration for the dist_tcp_options or equivalent parameter controlling TLS. If inet_tls_dist is explicitly enabled and check_ip is configured with a subnet mask, your cluster is affected. Review the ssl module version and compare it against the advisory's patched versions.
This analysis is based on publicly available CVE data and vendor advisories as of the publication date. No exploit code or weaponized proof-of-concept details are provided. Organizations must verify patch availability and compatibility with their specific Erlang/OTP build and deployment architecture. Threat modeling and risk prioritization should account for your organization's threat landscape, certificate governance, and cluster criticality. Consult Erlang/OTP vendor advisories and your internal security team before deploying patches to production. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10211MEDIUMAstrBot 4.23.6 Path Normalization Authorization Bypass
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2026-10860MEDIUMMISP Delete Validation Bypass – Logic Error in HTTP DELETE Handler
- CVE-2026-21036MEDIUMSamsung Internet Authorization Flaw Exposes Sensitive Data
- CVE-2026-32906MEDIUMOpenClaw Privilege Escalation in Slack Plugin Approvals
- CVE-2026-34507MEDIUMOpenClaw QQBot Admin Command Policy Bypass (CVSS 5.4)
- CVE-2026-35673MEDIUMOpenClaw SSRF Policy Bypass in Debug and Export Routes