CVE-2026-47672

描述

### Impact Any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured deployment (e.g., following the production Docker example in the README), this is exploitable from the local network without credentials. ### Patches - [#43](https://github.com/oviva-ag/epa4all-client/pull/43) ### Workarounds Use network policies or proxies to enforce service-to-service authentication via e.g. mTLS. - run the service in an isolated network namespace e.g. as Kubernetes sidecar - service-mesh with corresponding policies ### References - MS-OVIVA-EPA4ALL-8b2af7 ### Credits [Machine Spirits](https://machinespirits.com/) ([[email protected]](mailto:[email protected])) - Dr. rer. nat. Simon Weber - Dipl.-Inf. Volker Schönefeld - Chiara Fliegner

如何修補 CVE-2026-47672

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

• —未列出修補版本

CVE-2026-47672 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-47672 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)

• from 0, <= 1.2.4

CVSS 分數

參考連結(4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-47672
• PATCHgithub.com/oviva-ag/epa4all-client
• WEBgithub.com/oviva-ag/epa4all-client/pull/43
• WEBgithub.com/oviva-ag/epa4all-client/security/advisories/GHSA-c82x-f4xr-qv33