VYPR
Vypr IntelligenceAI-generatedJul 3, 2026· 4 CVEs

Erlang/OTP: Four SSL/SFTP Vulnerabilities Disclosed Together on July 3, 2026

Four vulnerabilities in Erlang/OTP's SSL and SFTP modules were disclosed on July 3, 2026, affecting secure communications and file transfers.

Key findings

  • Four vulnerabilities disclosed in Erlang/OTP on July 3, 2026, impacting SSL/TLS and SFTP components.
  • CVE-2026-53422 allows authenticated SFTP users to enumerate files outside their root directory.
  • CVE-2026-54891 permits network attackers to inject unauthenticated data into TLS sessions.
  • CVE-2026-55950 enables remote attackers to crash DTLS sessions via a TOCTOU race condition.
  • CVE-2026-54887 involves predictable DTLS cookie computation, potentially bypassing source address verification.

On July 3, 2026, a batch of four vulnerabilities was disclosed in Erlang/OTP, the open-source platform for building scalable and robust applications. These vulnerabilities, all disclosed on the same day, primarily affect the Secure Sockets Layer (SSL) and Secure File Transfer Protocol (SFTP) components of the Erlang/OTP distribution. The disclosures highlight potential security weaknesses in how Erlang/OTP handles secure communications and file transfers, with impacts ranging from information disclosure to denial-of-service conditions.

Two of the vulnerabilities, CVE-2026-54891 and CVE-2026-54887, are related to the SSL/TLS implementation. CVE-2026-54891, an "Improper Enforcement of Message Integrity During Transmission" flaw in the tls_gen_connection module, could allow a network attacker to inject unauthenticated data that is later treated as legitimate server data by the TLS client. This could lead to data corruption or manipulation. CVE-2026-54887, a "Use of Default Cryptographic Key" vulnerability in the DTLS server, allows for predictable DTLS cookie computation during the startup phase. This predictability can enable a bypass of source address verification, potentially facilitating denial-of-service attacks or man-in-the-middle attempts.

Another vulnerability, CVE-2026-53422, impacts the SFTP server component, specifically the ssh_sftpd module. This "Observable Response Discrepancy" flaw allows an authenticated SFTP user to enumerate files and directories outside their designated root directory. The vulnerability stems from the ssh_sftpd module's handling of file paths, where Canonicalize=false in the relate_file_name/3 function permits directory traversal.

Finally, CVE-2026-55950 addresses a "Time-of-check Time-of-use (TOCTOU) race condition" within the DTLS server's packet demultiplexing mechanism. A DTLS server listener uses a shared dtls_packet_demux process to route incoming UDP datagrams. The TOCTOU vulnerability in this process allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener, leading to a denial-of-service condition.

The disclosure of these four vulnerabilities in close succession underscores the importance of maintaining up-to-date Erlang/OTP installations, particularly for applications relying on secure network communications and file transfer services. Users are advised to consult the official Erlang/OTP security advisories for specific patch information and affected version details.

The batch of vulnerabilities disclosed on July 3, 2026, affects Erlang/OTP's secure communication modules. These include flaws in SFTP file enumeration, TLS message integrity, DTLS session stability, and predictable DTLS cookie generation. Users should prioritize updating their Erlang/OTP installations to mitigate these risks.

CVE-2026-53422, CVE-2026-54891, CVE-2026-55950, CVE-2026-54887

AI-written article. Grounded in 4 CVE records listed below.