CVE-2026-45575 oviva-ag CVE debrief

Who should care

Healthcare IT administrators operating within the German Telematik Infrastruktur, developers integrating epa4all-client for ePA 3.0 connectivity, security teams monitoring German eHealth authentication flows, and organizations relying on SMC-B card-based authentication for electronic patient record access.

Technical summary

The epa4all-client Java library for German electronic health record (ePA 3.0) integration fails to properly validate the authenticity of IDP discovery documents retrieved over TLS. An attacker with MITM capability within the Telematik Infrastruktur network can inject a malicious discovery document that substitutes attacker-controlled public key URLs for the legitimate IDP encryption (`uri_puk_idp_enc`) and signature (`uri_puk_idp_sig`) endpoints. The client subsequently encrypts sensitive SMC-B-signed authentication challenges using the attacker's key and submits them to the attacker's endpoint, resulting in capture of valid signed authentication tokens. This represents a breakdown in the trust establishment phase of the OAuth 2.0 / OpenID Connect flow used within the German healthcare digital infrastructure.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade epa4all-client to version 1.2.2 or later
• Verify IDP discovery document authenticity through certificate pinning or out-of-band validation
• Monitor for anomalous authentication flows in TI network environments
• Review network segmentation to limit MITM opportunities within TI infrastructure
• Audit SMC-B authentication logs for unexpected encryption key references

Evidence notes

Vulnerability description confirms MITM attack vector within TI network boundary. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N reflects network-accessible, high-complexity attack with no privileges required. CWE-347 (Improper Verification of Cryptographic Signature) assigned. Fix confirmed in pull request #36.

Official resources