CVE-2026-45574

HIGH

epa4all-client: TLS Certificate Validation Disabled in Production

Title source: cna

Description

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This includes patient identifiers (KVNR), SMC-B card operations (authentication, signing), document content, and credential exchanges. This vulnerability is fixed in 1.2.2.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/oviva-ag/epa4all-client/security/advisories/GHSA-5hhf-xmfx-4vvr

X_Refsource_Misc x_refsource_misc

https://github.com/oviva-ag/epa4all-client/pull/36

Scores

CVSS v3 8.1

EPSS 0.0014

EPSS Percentile 3.5%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-295

Status published

Products (3)

com.oviva.telematik/epa4all-client 0 - 1.2.2Maven

com.oviva.telematik/epa4all-client < 1.2.2

oviva-ag/epa4all-client < 1.2.2

Published May 26, 2026

Tracked Since May 27, 2026