PT-2026-43414 · Unknown · Epa4All-Client

Chiara Fliegner

+4

·

Published

2026-05-26

·

Updated

2026-06-04

·

CVE-2026-47672

CVSS v3.1

6.5

Medium

VectorAV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions epa4all-client versions prior to 1.2.5
Description Any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In misconfigured deployments, such as those following the production Docker example in the README, this can be exploited from the local network without credentials.
Recommendations Update to version 1.2.5. Use network policies or proxies to enforce service-to-service authentication via mTLS (Mutual Transport Layer Security), which is a process where both parties in a communication link authenticate each other. Run the service in an isolated network namespace, such as a Kubernetes sidecar. Implement a service-mesh with corresponding policies.

Exploit

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-47672
GHSA-C82X-F4XR-QV33

Affected Products

Epa4All-Client