epa4all-client: Unauthenticated REST API for Patient Record Writes

GHSA-c82x-f4xr-qv33 · CVE-2026-47672

Published Jun 4, 2026 · Modified Jun 4, 2026

Description

Impact

Any network-reachable caller can write arbitrary documents to any patient's electronic
health record accessible by the institution's SMC-B card. In a misconfigured deployment
(e.g., following the production Docker example in the README), this is exploitable from
the local network without credentials.

Patches

Workarounds

Use network policies or proxies to enforce service-to-service authentication via e.g. mTLS.

run the service in an isolated network namespace e.g. as Kubernetes sidecar
service-mesh with corresponding policies

References

MS-OVIVA-EPA4ALL-8b2af7

Credits

Machine Spirits (contact@machinespirits.de)

Dr. rer. nat. Simon Weber
Dipl.-Inf. Volker Schönefeld
Chiara Fliegner

References

WEB https://github.com/oviva-ag/epa4all-client/security/advisories/GHSA-c82x-f4xr-qv33
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-47672
WEB https://github.com/oviva-ag/epa4all-client/pull/43
PACKAGE https://github.com/oviva-ag/epa4all-client

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes