Maven · Com.Oviva.Telematik:Epa4All-Client · CVE-2026-45574
**Name of the Vulnerable Software and Affected Versions**
epa4all-client versions prior to 1.2.2
**Description**
An attacker positioned on the network path between the ePA service and the Konnektor can present any TLS certificate, such as self-signed, expired, or those with an incorrect Common Name (CN), to intercept all SOAP traffic. This interception may expose patient identifiers (KVNR), SMC-B card operations involving authentication and signing, document content, and credential exchanges.
**Recommendations**
Update to version 1.2.2.
Use the library directly instead of the REST wrapper as a temporary workaround.