CVE-2026-45575

CVSS v3.1

7.4

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Impact

An attacker who can MITM the TLS connection between the client and the IDP (within the TI network) can substitute a forged discovery document. The forged document redirects u ri puk idp enc and uri puk idp sig to attacker-controlled URLs. The client then encrypts the SMC-B-signed challenge response to the attacker's encryption key and POSTs it to the attacker's auth endpoint. This captures the signed authentication material.

Patches

#36

Workarounds

None.

Resources

MS-OVIVA-EPA4ALL-d453c1

Credits

Machine Spirits (contact@machinespirits.de)

Dr. rer. nat. Simon Weber
Dipl.-Inf. Volker Schönefeld
Chiara Fliegner

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

CVE-2026-45575

GHSA-GQX7-6552-67HF

Affected Products

Com.Oviva.Telematik:Epa4All-Client

CVE-2026-45575

Impact

Patches

Workarounds

Resources

Credits

Weakness Enumeration

Related Identifiers

Affected Products

References · 6