VYPR
← All advisories
High severityNVD Advisory· Published Jun 10, 2026

CVE-2026-48860

CVE-2026-48860

Description

Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist.

The inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3.

This vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl.

This issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.

Affected products

3
  • SSH/SSHreferences
  • Erlang/sslllm-create
    Range: >=11.0, <11.7.2, >=11.6.0.2, <11.6.0.2, >=11.2.12.9, <11.2.12.9
  • Erlang/OTPllm-fuzzy
    Range: >=26.0, <29.0.2, >=28.5.0.2, <28.5.0.2, >=27.3.4.13, <27.3.4.13

Patches

1
0209a6df65d6

ssl: Correct function used to check peer IP

https://github.com/erlang/otpIngela Anderton AndinMay 29, 2026via body-scan
commit
1 file changed · +1 1
  • lib/ssl/src/inet_tls_dist.erl+1 1 modified
    @@ -708,7 +708,7 @@ check_ip(Socket) ->
                       end,
                 {ok, Ifaddrs} ?= inet:getifaddrs(),
                 {ok, Netmask} ?= find_netmask(IP, Ifaddrs),
-                {ok, {PeerIP, _}} ?= inet:sockname(Socket),
+                {ok, {PeerIP, _}} ?= inet:peername(Socket),
                 ok ?= if is_tuple(PeerIP) -> ok;
                          true -> {error, {no_ip_address, PeerIP}}
                       end,

Vulnerability mechanics

Root cause

"The inet_tls_dist module incorrectly uses inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address, causing authentication bypass."

Attack vector

An attacker must hold a valid certificate signed by the same Certificate Authority (CA) used by the target Erlang cluster. The Erlang distribution must be configured to use TLS and the kernel environment variable `check_ip` must be set to true. If these conditions are met, the attacker can connect to the Erlang node, bypassing the LAN allowlist restriction and gaining unauthorized distribution access. This allows for actions such as `rpc:call/4` and `code:load_binary/3` [ref_id=1].

Affected code

The vulnerability resides in the `lib/ssl/src/inet_tls_dist.erl` file, specifically within the `check_ip/1` function. The incorrect usage of `inet:sockname/1` to retrieve the peer's IP address is the core of the issue [ref_id=1].

What the fix does

The patch modifies the `inet_tls_dist:check_ip/1` function by changing the call from `inet:sockname(Socket)` to `inet:peername(Socket)` [patch_id=5502029]. This ensures that the actual IP address of the connecting peer is retrieved, rather than the local socket address. Consequently, the subnet mask comparison will now correctly validate the remote IP against the local network, enforcing the intended LAN restriction and preventing bypass.

Preconditions

  • configErlang distribution configured to use TLS (-proto_dist inet_tls).
  • configKernel environment variable `check_ip` is set to true.
  • authAttacker possesses a valid TLS certificate signed by the same CA as the target cluster's certificates.
  • configThe cluster's TLS verification accepts certificates not exclusively issued to cluster members (i.e., shared CA).

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1