PatchSiren cyber security CVE debrief
CVE-2026-45574 oviva-ag CVE debrief
epa4all-client versions prior to 1.2.2 fail to validate TLS certificates when connecting to the Konnektor, enabling network-path attackers to intercept sensitive healthcare communications. The vulnerability allows presentation of arbitrary certificates—self-signed, expired, or with incorrect common names—without rejection by the client. This TLS verification bypass exposes patient identifiers (KVNR), SMC-B card authentication and signing operations, document content, and credential exchanges in cleartext to the attacker. The flaw affects Java-based ePA 3.0 client implementations within Germany's Telematik Infrastruktur healthcare network. Version 1.2.2 implements proper certificate validation to remediate the issue.
- Vendor
- oviva-ag
- Product
- epa4all-client
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-27
Who should care
Healthcare IT administrators operating German ePA 3.0 infrastructure, developers integrating epa4all-client libraries, security teams responsible for Telematik Infrastruktur compliance, and organizations processing electronic health records subject to German healthcare data protection requirements
Technical summary
The epa4all-client Java library, used for electronic patient record (ePA 3.0) access in Germany's Telematik Infrastruktur, contains a critical TLS certificate validation vulnerability. Prior to version 1.2.2, the client accepts any TLS certificate presented during Konnektor connection establishment without verifying certificate authenticity, validity period, or subject name. This implementation flaw in the Java client's TLS handshake logic permits successful man-in-the-middle attacks by adversaries positioned on the network path between the ePA service and Konnektor. The vulnerability exposes highly sensitive healthcare data including patient insurance numbers (KVNR), electronic health record documents, and cryptographic operations performed via SMC-B health professional cards. The attack requires no authentication and no user interaction, functioning against default configurations in adjacent network scenarios. Remediation in version 1.2.2 introduces proper X.509 certificate chain validation and hostname verification.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade epa4all-client to version 1.2.2 or later to obtain TLS certificate validation
- Audit network segments between ePA services and Konnektor devices for unauthorized access points
- Review application logs for anomalous TLS handshake patterns or certificate errors prior to upgrade
- Implement network segmentation to limit exposure of Konnektor communications to untrusted network paths
- Verify TLS certificate pinning or validation logic in custom epa4all-client deployments
- Monitor for unauthorized certificate authorities or self-signed certificates in healthcare network infrastructure
Evidence notes
CVE description confirms TLS certificate validation failure (CWE-295) in epa4all-client <1.2.2. CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N indicates adjacent network attack vector with high confidentiality and integrity impact. GitHub Security Advisory GHSA-5hhf-xmfx-4vvr and pull request #36 provide vendor remediation confirmation.
Official resources
2026-05-26