epa4all-client CVE-2026-45574
HIGHSeverity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 maven packages depend on com.oviva.telematik:epa4all-client (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.2.2.
DescriptionGitHub Advisory
Impact
An attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This includes patient identifiers (KVNR), SMC-B card operations (authentication, signing), document content, and credential exchanges.
Patches
Workarounds
Use the library directly instead of the REST wrapper.
Resources
- MS-OVIVA-EPA4ALL-771a78
Credits
Machine Spirits ([contact@machinespirits.de](mailto:contact@machinespirits.de))
- Dr. rer. nat. Simon Weber
- Dipl.-Inf. Volker Schönefeld
- Chiara Fliegner
AnalysisAI
Missing TLS certificate validation in epa4all-client allows adjacent network attackers to intercept SOAP traffic between ePA services and Konnektor systems. The vulnerability affects versions prior to 1.2.2 and enables man-in-the-middle attacks using self-signed, expired, or otherwise invalid certificates to access patient identifiers (KVNR), SMC-B card operations, document content, and credential exchanges. No public exploit identified at time of analysis, with CVSS 8.1 indicating high impact on adjacent network segments.
Technical ContextAI
The epa4all-client is a Java library for German healthcare telematics infrastructure (TI) that facilitates communication between electronic patient record (ePA) services and Konnektor devices. The vulnerability stems from CWE-295 (Improper Certificate Validation) where the TLS implementation fails to properly validate server certificates during HTTPS connections. The library uses Java's SSLContext and TrustManager components, but was missing proper certificate chain validation against the Telematik trust roots (PU and RU certificate stores). This allows attackers to present any certificate without proper verification.
RemediationAI
Vendor-released patch: version 1.2.2 addresses the vulnerability by implementing proper TLS certificate validation against Telematik trust roots. Organizations should upgrade to epa4all-client version 1.2.2 or later via Maven dependency update. The fix is available at https://github.com/oviva-ag/epa4all-client/releases/tag/v1.2.2 with technical changes in pull request #36. As a workaround, the vendor suggests using the library directly instead of the REST wrapper, though this may require significant code changes. For immediate mitigation before patching, ensure network segmentation prevents untrusted devices from positioning between ePA services and Konnektor systems.
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-5hhf-xmfx-4vvr