CVE-2026-48860

Published: Giu 10, 2026 Last Modified: Giu 10, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,5
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Attack Vector: adjacent
Attack Complexity: high
Privileges Required: low
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A

Description

AI Translation Available

Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist.

The inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3.

This vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl.

This issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0003
Percentile
0,1th
Updated

EPSS Score Trend (Last 4 Days)

863

Incorrect Authorization

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control Availability
Potential Impacts:
Read Application Data Read Files Or Directories Modify Application Data Modify Files Or Directories Gain Privileges Or Assume Identity Bypass Protection Mechanism Execute Unauthorized Code Or Commands Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)
Applicable Platforms
Technologies: Web Server, Database Server, Not Technology-Specific
Likelihood of Exploit: High
View CWE Details
1025

Comparison Using Wrong Factors

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Other
Potential Impacts:
Varies By Context
Applicable Platforms
All platforms may be affected
View CWE Details
https://cna.erlef.org/cves/CVE-2026-48860.html
https://cna.erlef.org/cves/CVE-2026-48860.html
https://github.com/erlang/otp/commit/0209a6df65d605552b3782…
https://github.com/erlang/otp/commit/0209a6df65d605552b378273027b3968b35f26b4
https://github.com/erlang/otp/security/advisories/GHSA-gp7x…
https://github.com/erlang/otp/security/advisories/GHSA-gp7x-mfv6-52cv
https://osv.dev/vulnerability/EEF-CVE-2026-48860
https://osv.dev/vulnerability/EEF-CVE-2026-48860
https://www.erlang.org/doc/system/versions.html#order-of-ve…
https://www.erlang.org/doc/system/versions.html#order-of-versions