CVE-2026-45574
HIGH8.1EPSS 0.01%epa4all-client: TLS Certificate Validation Disabled in Production
Description
### Impact An attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This includes patient identifiers (KVNR), SMC-B card operations (authentication, signing), document content, and credential exchanges. ### Patches [#36](https://github.com/oviva-ag/epa4all-client/pull/36) ### Workarounds Use the library directly instead of the REST wrapper. ### Resources - MS-OVIVA-EPA4ALL-771a78 ### Credits [Machine Spirits](https://machinespirits.com/) ([[email protected]](mailto:[email protected])) - Dr. rer. nat. Simon Weber - Dipl.-Inf. Volker Schönefeld - Chiara Fliegner
Affected packages (1)
- Maven/com.oviva.telematik:epa4all-clientfrom 0, < 1.2.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
References (5)
- PATCHhttps://github.com/oviva-ag/epa4all-client
- WEBhttps://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32
- WEBhttps://github.com/oviva-ag/epa4all-client/pull/36
- WEBhttps://github.com/oviva-ag/epa4all-client/releases/tag/v1.2.2
- WEBhttps://github.com/oviva-ag/epa4all-client/security/advisories/GHSA-5hhf-xmfx-4vvr