Erlang security advisory (AV26-320)

Serial number: AV26-320
Date: April 7, 2026

On April 7, 2026, Erlang published a security advisory to address a vulnerability in the following products:

• inets (OTP) – versions prior to 9.1.0.6, 9.3.2.4 and 9.6.2
• OTP – versions prior to 28.4.2, 27.3.4.10, and 26.2.5.19
• Public_key (OTP) – versions prior to 1.17.1.2 and 1.20.3
• ssl (OTP) – versions prior to 11.2.12.7 and 11.5.4

The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.

• OCSP designated-responder authorization bypass — missing signature verification (RFC 6960 §4.2.2.2)
• ScriptAlias CGI targets bypass `directory` auth (mod_auth vs mod_cgi path mismatch)
• Erlang Security