PT-2026-41395 · Maven+2 · Com.Oviva.Telematik:Epa4All-Client+1

Chiara Fliegner

+3

·

Published

2026-05-15

·

Updated

2026-05-27

·

CVE-2026-45574

CVSS v3.1

8.1

High

VectorAV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions epa4all-client versions prior to 1.2.2
Description An attacker positioned on the network path between the ePA service and the Konnektor can present any TLS certificate, such as self-signed, expired, or those with an incorrect Common Name (CN), to intercept all SOAP traffic. This interception may expose patient identifiers (KVNR), SMC-B card operations involving authentication and signing, document content, and credential exchanges.
Recommendations Update to version 1.2.2. Use the library directly instead of the REST wrapper as a temporary workaround.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45574
GHSA-5HHF-XMFX-4VVR

Affected Products

Com.Oviva.Telematik:Epa4All-Client
Epa4All-Client