PT-2026-43414 · Unknown · Epa4All-Client
Chiara Fliegner
+4
·
Published
2026-05-26
·
Updated
2026-06-04
·
CVE-2026-47672
CVSS v3.1
6.5
Medium
| Vector | AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
epa4all-client versions prior to 1.2.5
Description
Any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In misconfigured deployments, such as those following the production Docker example in the README, this can be exploited from the local network without credentials.
Recommendations
Update to version 1.2.5.
Use network policies or proxies to enforce service-to-service authentication via mTLS (Mutual Transport Layer Security), which is a process where both parties in a communication link authenticate each other.
Run the service in an isolated network namespace, such as a Kubernetes sidecar.
Implement a service-mesh with corresponding policies.
Exploit
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Epa4All-Client