CVE-2026-6899 PUBLISHED

Improper Check for Certificate Revocation in S2OPC

Assigner: GitLab
Reserved: 23.04.2026 Published: 09.06.2026 Updated: 09.06.2026

Check for certificate revocation only considers the first matching CRL and ignores other valid CRLs of the same CA in the CycloneCrypto cryptographic wrapper of S2OPC library. It might allow connection between an OPC UA client and server using a revoked certificate.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS Score: 5.6

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	Systerel
Product	S2OPC
Versions	Default: unaffected affected from 1.5.0 to 1.7.3 (excl.)

Solutions

Use MbedTLS cryptographic wrapper, or upgrade S2OPC to commit 3ff81301d95a77260e9deb791585a620c5623028 or release version > 1.7.2

Credits

Systerel finder

References

https://gitlab.com/systerel/S2OPC/-/work_items/1739

Problem Types

CWE-299: Improper Check for Certificate Revocation CWE