PT-2026-46857 — Com.Oviva.Telematik:Epa4All-Rest-Service

PT-2026-46857 · Maven · Com.Oviva.Telematik:Epa4All-Rest-Service

Published

2026-06-04

Updated

2026-06-04

CVSS v3.1

6.5

Medium

Vector

AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Impact

Any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured deployment (e.g., following the production Docker example in the README), this is exploitable from the local network without credentials.

Patches

Workarounds

Use network policies or proxies to enforce service-to-service authentication via e.g. mTLS.

run the service in an isolated network namespace e.g. as Kubernetes sidecar
service-mesh with corresponding policies

References

MS-OVIVA-EPA4ALL-8b2af7

Credits

Machine Spirits (contact@machinespirits.de)

Dr. rer. nat. Simon Weber
Dipl.-Inf. Volker Schönefeld
Chiara Fliegner

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

GHSA-C82X-F4XR-QV33

Affected Products

Com.Oviva.Telematik:Epa4All-Rest-Service