VYPR

Epa4all Client

by Oviva Ag

Source repositories

CVEs (4)

  • CVE-2026-45574HigMay 26, 2026
    risk 0.46cvss 8.1epss 0.00

    epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This…

  • CVE-2026-44900HigMay 26, 2026
    risk 0.46cvss 8.1epss 0.00

    epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.1, in SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify(). The method performs…

  • CVE-2026-45575HigMay 26, 2026
    risk 0.41cvss 7.4epss 0.00

    epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker who can MITM the TLS connection between the client and the IDP (within the TI network) can substitute a forged discovery document. The forged document redirects…

  • CVE-2026-47672MedMay 26, 2026
    risk 0.35cvss 6.5epss 0.00

    epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. In 1.2.4 and earlier, any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured…