High severityGHSA Advisory· Published May 8, 2026

epa4all-client has a VAU Signature bypass

CVE-2026-44900

Description

Impact

In SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify(). The method performs certificate chain validation, OCSP check, and signature algorithm setup, but never checks whether the signature actually matches. For any structurally valid signature, it returns true.

Patches

Patched in #34.

Workarounds

None.

### Resources - MS-OVIVA-EPA4ALL-d76aec

Credits

Machine Spirits (contact@machinespirits.de) - Dr. rer. nat. Simon Weber - Dipl.-Inf. Volker Schönefeld - Chiara Fliegner

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.oviva.telematik:epa4all-clientMaven	< 1.2.1	1.2.1

Affected products

Oviva Ag/Epa4all ClientGHSA
Range: <= 1.2.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-g8r3-5hwf-qp96ghsaADVISORY
github.com/oviva-ag/epa4all-client/pull/34ghsaWEB
github.com/oviva-ag/epa4all-client/security/advisories/GHSA-g8r3-5hwf-qp96ghsaWEB
www.machinespirits.com/advisory/d76aecghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000