https://github.com/erlang/otp/security/advisories/GHSA-cjxj-wj6x-3fff reports:
Erlang/OTP's public_key application fails to validate the
validity period of OCSP responder certificates during
response verification. An attacker possessing an expired
OCSP responder's private key can forge responses that the
system accepts as valid, potentially allowing acceptance of
revoked TLS certificates in OCSP stapling scenarios or
authentication bypass in applications using the
public_key:pkix_ocsp_validate/5 API directly.