Skip to main content

epa4all-client CVE-2026-45574

HIGH
Improper Certificate Validation (CWE-295)
2026-05-15 https://github.com/oviva-ag/epa4all-client GHSA-5hhf-xmfx-4vvr
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 15, 2026 - 19:00 vuln.today
Analysis Generated
May 15, 2026 - 19:00 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 maven packages depend on com.oviva.telematik:epa4all-client (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.2.2.

DescriptionGitHub Advisory

Impact

An attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This includes patient identifiers (KVNR), SMC-B card operations (authentication, signing), document content, and credential exchanges.

Patches

#36

Workarounds

Use the library directly instead of the REST wrapper.

Resources

  • MS-OVIVA-EPA4ALL-771a78

Credits

Machine Spirits ([contact@machinespirits.de](mailto:contact@machinespirits.de))

  • Dr. rer. nat. Simon Weber
  • Dipl.-Inf. Volker Schönefeld
  • Chiara Fliegner

AnalysisAI

Missing TLS certificate validation in epa4all-client allows adjacent network attackers to intercept SOAP traffic between ePA services and Konnektor systems. The vulnerability affects versions prior to 1.2.2 and enables man-in-the-middle attacks using self-signed, expired, or otherwise invalid certificates to access patient identifiers (KVNR), SMC-B card operations, document content, and credential exchanges. No public exploit identified at time of analysis, with CVSS 8.1 indicating high impact on adjacent network segments.

Technical ContextAI

The epa4all-client is a Java library for German healthcare telematics infrastructure (TI) that facilitates communication between electronic patient record (ePA) services and Konnektor devices. The vulnerability stems from CWE-295 (Improper Certificate Validation) where the TLS implementation fails to properly validate server certificates during HTTPS connections. The library uses Java's SSLContext and TrustManager components, but was missing proper certificate chain validation against the Telematik trust roots (PU and RU certificate stores). This allows attackers to present any certificate without proper verification.

RemediationAI

Vendor-released patch: version 1.2.2 addresses the vulnerability by implementing proper TLS certificate validation against Telematik trust roots. Organizations should upgrade to epa4all-client version 1.2.2 or later via Maven dependency update. The fix is available at https://github.com/oviva-ag/epa4all-client/releases/tag/v1.2.2 with technical changes in pull request #36. As a workaround, the vendor suggests using the library directly instead of the REST wrapper, though this may require significant code changes. For immediate mitigation before patching, ensure network segmentation prevents untrusted devices from positioning between ePA services and Konnektor systems.

Share

CVE-2026-45574 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy