CVE-2026-6899
MediumCVSS 5.6Exploitation Probability (EPSS)
Low risk6th percentile - higher than 6% of all known CVEs
Summary
In the S2OPC library's CycloneCrypto cryptographic wrapper, certificate revocation checks only consider the first matching CRL, ignoring other valid CRLs from the same CA. This may allow a connection between an OPC UA client and server using a revoked certificate.
Risk Assessment
The organization may be at risk of establishing connections with unauthorized entities, potentially leading to data security breaches.
Recommendation
It is recommended to update the S2OPC library and implement additional certificate verification mechanisms to ensure that all CRLs are considered.
Original NVD description (English source)
Check for certificate revocation only considers the first matching CRL and ignores other valid CRLs of the same CA in the CycloneCrypto cryptographic wrapper of S2OPC library. It might allow connection between an OPC UA client and server using a revoked certificate.

