CVE-2026-1301 o6 Automation GmbH CVE debrief

Who should care

Organizations running Open62541 in OT/ICS environments, especially deployments with PubSub and JSON enabled; system integrators; platform maintainers; and incident responders supporting exposed or network-reachable installations.

Technical summary

The advisory describes a heap write beyond bounds in the JSON decoder path of Open62541 when PubSub and JSON are enabled. A crafted JSON message can trigger the issue before authentication, causing denial of service through process crash and creating a memory-corruption condition. The supplied CVSS vector is AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H, indicating network reachability with a required interaction condition and high availability impact.

Defensive priority

High for exposed or actively used deployments; Medium overall based on the published CVSS score.

Recommended defensive actions

• Upgrade Open62541 to the stable release of v1.5.0 as recommended by the vendor.
• Inventory deployments to identify systems built with PubSub and JSON enabled.
• Prioritize remediation for any deployment that can receive untrusted JSON over the network.
• Apply CISA ICS recommended practices and defense-in-depth controls to reduce exposure around affected services.
• Monitor affected environments for unexpected process crashes, decoder faults, or other memory-corruption symptoms.

Evidence notes

All substantive claims here come from the CISA CSAF advisory ICSA-26-036-03 and its linked CVE record for CVE-2026-1301. The advisory states the affected configuration (PubSub plus JSON enabled), the pre-authentication crafted JSON trigger, the crash/memory-corruption impact, the CVSS v3.1 vector, and the vendor remediation to upgrade to stable v1.5.0.

Official resources