Erlang/OTP Information Disclosure Vulnerability, CVSS 5.4

CERT-Bund

Changeflow GovPing Data Privacy & Cybersecurity Erlang/OTP Information Disclosure Vulnerability...

Priority review Notice Added Final

Erlang/OTP Information Disclosure Vulnerability, CVSS 5.4

CERT-Bund Security Advisories

Published April 23rd, 2026

Detected April 23rd, 2026

Email

Summary

CERT-Bund issued a security advisory regarding an information disclosure vulnerability in Erlang/OTP (Open Telecom Platform). The vulnerability has a CVSS Base Score of 5.4 (medium) and CVSS Temporal Score of 4.7 (medium), with remote attack capability confirmed. Affected versions include Open Source Erlang/OTP OTP versions prior to 26.2.5.17, 27.3.4.8, and 28.3.2, as well as inets versions prior to 7.0 and tftp versions prior to 1.0. A remote, authenticated attacker can exploit this vulnerability to disclose information. Mitigations are available.

“Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Erlang/OTP ausnutzen, um Informationen offenzulegen.”

— CERT-Bund , verbatim from source

Published by CERT-Bund on wid.cert-bund.de . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

CERT-Bund is the German federal cybersecurity agency's incident response team, run by the BSI. Their advisory feed publishes vulnerability disclosures and active exploitation warnings for software in widespread enterprise use: VPN appliances, email servers, file transfer products, ERP systems, browsers, hypervisors. Around 280 advisories a month, each with a CVSS score, affected versions, and remediation guidance. The advisories are written in German but cover the same vulnerabilities that show up in CISA, NCSC-UK, and JPCERT bulletins, often hours earlier. Watch this if you patch enterprise software, run a SOC, or write detection rules. GovPing publishes each advisory with the affected vendor, CVSS score, and original CERT-Bund link.

View original document View source feed page

What changed

CERT-Bund published a security advisory detailing an information disclosure vulnerability in Erlang/OTP. The vulnerability allows a remote, authenticated attacker to exploit Erlang/OTP and disclose information. Multiple product versions across OTP, inets, and tftp components are affected, with CVSS scores indicating medium severity. SUSE openSUSE is also listed as affected.

Organizations running Erlang/OTP on Linux or UNIX systems should review their installed versions and apply available mitigations. Security teams should prioritize patching to the latest fixed versions (26.2.5.17, 27.3.4.8, 28.3.2 for OTP; 7.0 for inets; 1.1.1.1, 1.2.2.1, 1.2.4 for tftp) to address the vulnerability.

Archived snapshot

Apr 23, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

[WID-SEC-2026-0473] Erlang/OTP: Schwachstelle ermöglicht Offenlegung von Informationen CVSS Base Score 5.4 (mittel) CVSS Temporal Score 4.7 (mittel) Remoteangriff ja Datum 22.02.2026 Stand UPDATE 23.04.2026 Mitigation ja

Betroffene Systeme

Betriebssystem

Linux
UNIX

Produktbeschreibung

Erlang/OTP (Open Telecom Platform) ist eine Sammlung von Bibliotheken und Tools, die auf der Programmiersprache Erlang basieren und für den Aufbau skalierbarer, fehlertoleranter und verteilter Systeme entwickelt wurden.

Produkte

UPDATE 22.04.2026
- SUSE openSUSE
22.02.2026
- Open Source Erlang/OTP OTP <26.2.5.17

Open Source Erlang/OTP OTP <27.3.4.8
Open Source Erlang/OTP OTP <28.3.2
Open Source Erlang/OTP inets <7.0
Open Source Erlang/OTP tftp <1.1.1.1
Open Source Erlang/OTP tftp <1.2.2.1
Open Source Erlang/OTP tftp <1.2.4

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Erlang/OTP ausnutzen, um Informationen offenzulegen. CVE Informationen Versionshistorie Feedback zum Advisory geben

Related changes

TYPO3 Core 14.2.0 Information Disclosure Vulnerability - CVSS 7.4 High

Priority review Apr 21, 2026 • CERT-Bund Security Advisories • Data Privacy & Cybersecurity

Red Hat Quay Security Bypass Vulnerability, CVSS 5.4

Priority review Apr 23, 2026 • CERT-Bund Security Advisories • Data Privacy & Cybersecurity

CPython Vulnerability Allows Remote Attack, CVSS 8.6

Priority review Apr 22, 2026 • CERT-Bund Security Advisories • Data Privacy & Cybersecurity

Get daily alerts for CERT-Bund Security Advisories

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

CERT-Bund Security Advisories wid.cert-bund.de/content/public/securityAdvisory/rss

Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CERT-Bund.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

April 23, 2026

Press inquiries →

Classification

Agency

CERT-Bund

Published

April 23rd, 2026

Instrument

Notice

Branch

Executive

Source language

de

Legal weight

Non-binding

Stage

Final

Change scope

Minor

Who this affects

Applies to

Technology companies Government agencies

Industry sector

5112 Software & Technology

Activity scope

Vulnerability disclosure Software patching

Geographic scope

Germany DE

Taxonomy

Primary area

Cybersecurity

Operational domain

IT Security

Compliance frameworks

NIST CSF

Topics

Software & Technology Data Privacy

Erlang/OTP Information Disclosure Vulnerability, CVSS 5.4

Summary

About this source

What changed

Archived snapshot

Betroffene Systeme

Betriebssystem

Produktbeschreibung

Produkte

Angriff

Angriff

Related changes

Source

About this page

Classification

Who this affects

Taxonomy

Browse Categories

Get alerts for this source

Subscribed!