Improper Check for Certificate Revocation in S2OPC
Summary
| CVE | CVE-2026-6899 |
|---|---|
| State | PUBLISHED |
| Assigner | GitLab |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-09 09:16:30 UTC |
| Updated | 2026-06-09 15:25:56 UTC |
| Description | Check for certificate revocation only considers the first matching CRL and ignores other valid CRLs of the same CA in the CycloneCrypto cryptographic wrapper of S2OPC library. It might allow connection between an OPC UA client and server using a revoked certificate. |
Risk And Classification
Primary CVSS: v3.1 5.6 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Problem Types: CWE-299 | CWE-299 CWE-299: Improper Check for Certificate Revocation
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 5.6 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
| 3.1 | CNA | CVSS | 5.6 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
LowAvailability
LowCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| gitlab.com/systerel/S2OPC/-/work_items/1739 | [email protected] | gitlab.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Systerel (en)
Additional Advisory Data
Solutions
CNA: Use MbedTLS cryptographic wrapper, or upgrade S2OPC to commit 3ff81301d95a77260e9deb791585a620c5623028 or release version > 1.7.2
There are currently no legacy QID mappings associated with this CVE.