HIGH 8.1 Maven
epa4all-client: TLS Certificate Validation Disabled in Production
GHSA-5hhf-xmfx-4vvr · CVE-2026-45574
Published · Modified
Description
Impact
An attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This includes patient identifiers (KVNR), SMC-B card operations (authentication, signing),
document content, and credential exchanges.
Patches
Workarounds
Use the library directly instead of the REST wrapper.
Resources
- MS-OVIVA-EPA4ALL-771a78
Credits
Machine Spirits (contact@machinespirits.de)
- Dr. rer. nat. Simon Weber
- Dipl.-Inf. Volker Schönefeld
- Chiara Fliegner
References
- WEB https://github.com/oviva-ag/epa4all-client/security/advisories/GHSA-5hhf-xmfx-4vvr
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-45574
- WEB https://github.com/oviva-ag/epa4all-client/pull/36
- WEB https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32
- PACKAGE https://github.com/oviva-ag/epa4all-client
- WEB https://github.com/oviva-ag/epa4all-client/releases/tag/v1.2.2
Ready to move
Start Securing
Free, no credit card | First findings in minutes