PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48858 Erlang CVE debrief

A Server-Side Request Forgery (SSRF) vulnerability exists in the Erlang/OTP ftp (ftp_internal module). The vulnerability allows for FTP bounce attacks and SSRF via an unvalidated PASV response IP address. The PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts. The ftp application is deprecated and scheduled for removal in OTP-30.

Vendor
Erlang
Product
OTP
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-11
Advisory published
2026-06-10
Advisory updated
2026-06-11

Who should care

Users of Erlang/OTP versions from 17.4 before 29.0.2, 28.5.0.2, and 27.3.4.13, corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1, and 1.2.3.1, should be aware of this vulnerability.

Technical summary

The vulnerability is caused by the lack of validation of the PASV response IP address in the ftp_internal:handle_ctrl_result/2 PASV handler. This allows a malicious or compromised FTP server to redirect the client's data connection to an arbitrary internal host and port.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update to a fixed version of Erlang/OTP: 29.0.2, 28.5.0.2, 27.3.4.13 or later.
  • Use a version of inets greater than or equal to 7.0 or a version of ftp greater than or equal to 1.2.6, 1.2.4.1, or 1.2.3.1.
  • Consider using a different FTP implementation.

Evidence notes

CVE-2026-48858 has a CVSS score of 6.3 and is classified as MEDIUM severity.

Official resources

CVE-2026-48858 was published on 2026-06-10T16:17:11.077Z and modified on 2026-06-11T19:27:00.053Z.