CVE-2026-1301 is an out-of-bounds write vulnerability classified under CWE-787 found in the Open62541 open-source implementation of OPC UA by o6 Automation GmbH. This vulnerability specifically affects builds where PubSub (Publish-Subscribe) and JSON encoding are enabled. The flaw arises when the decoder processes a crafted JSON message that causes it to write beyond the bounds of a heap-allocated array. This occurs before any authentication step, allowing an unauthenticated attacker to send maliciously crafted JSON data over the network. The consequence is reliable process crashes and memory corruption, which could lead to denial of service or potentially enable further exploitation such as arbitrary code execution depending on the memory corruption impact. The vulnerability has a CVSS 4.0 base score of 6.8, indicating medium severity. The attack vector is network-based with low attack complexity, no privileges required, but user interaction is necessary to trigger the vulnerability. No patches or exploits are currently publicly available, but the affected version is identified as 1.5-rc1. Open62541 is widely used in industrial automation and IoT devices implementing OPC UA protocols, making this vulnerability relevant to critical infrastructure and industrial control systems.

For European organizations, especially those in industrial automation, manufacturing, and critical infrastructure sectors, this vulnerability poses a risk of denial of service through process crashes and memory corruption. Systems relying on Open62541 for OPC UA communication with PubSub and JSON enabled could be disrupted, impacting operational technology environments. The unauthenticated nature of the attack increases exposure, as attackers can send malicious JSON messages over the network without credentials. This could lead to temporary outages, loss of control, or in worst cases, facilitate further exploitation if memory corruption is leveraged. The impact is particularly significant for industries with high reliance on OPC UA for real-time data exchange and control, such as automotive manufacturing, energy grids, and smart factories prevalent in Europe. Disruptions could affect production lines, safety systems, and data integrity, leading to financial and reputational damage.

Organizations should monitor for updates from o6 Automation GmbH and apply patches or upgrades to versions beyond 1.5-rc1 once available. Until patches are released, it is critical to disable PubSub and JSON encoding features if not strictly necessary or to implement strict input validation and filtering on JSON messages at network boundaries. Network segmentation should be enforced to isolate OPC UA communication channels from untrusted networks and limit exposure to potential attackers. Deploying intrusion detection systems with signatures for anomalous JSON payloads targeting OPC UA may help detect exploitation attempts. Additionally, enforcing strict authentication and authorization policies on OPC UA servers, even though this vulnerability occurs pre-authentication, can reduce overall attack surface. Regular security audits and penetration testing focused on industrial protocols should be conducted to identify and remediate similar risks.