PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47672 oviva-ag CVE debrief

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. In 1.2.4 and earlier, any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured deployment (e.g., following the production Docker example in the README), this is exploitable from the local network without credentials.

Vendor
oviva-ag
Product
epa4all-client
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-27
Advisory published
2026-05-26
Advisory updated
2026-05-27

Who should care

Healthcare institutions using epa4all-client for ePA 3.0 integration in Germany's Telematik Infrastruktur, medical software vendors, health IT administrators, and compliance officers responsible for electronic health record security and SMC-B card deployments

Technical summary

epa4all-client versions 1.2.4 and earlier contain a missing authentication vulnerability (CWE-306) that allows any network-reachable caller to write arbitrary documents to patient electronic health records accessible by the institution's SMC-B card. The vulnerability is exploitable from the local network without credentials in misconfigured deployments, particularly those following the production Docker example in the project README. The attack requires adjacent network access (AV:A) with low complexity and no privileges, resulting in high integrity impact to patient health records. The fix has been implemented in pull request 43.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade epa4all-client to version 1.2.5 or later, which contains the authentication fix via pull request 43
  • Review Docker deployment configurations to ensure authentication is enforced and not disabled per production examples
  • Implement network segmentation to restrict access to epa4all-client services to authorized systems only
  • Audit existing patient electronic health records for unauthorized document writes if running affected versions
  • Verify SMC-B card access controls are properly configured and not bypassable through client misconfiguration

Evidence notes

The vulnerability description indicates that epa4all-client versions 1.2.4 and earlier lack authentication controls for document write operations, allowing network-reachable callers to write arbitrary documents to patient electronic health records. The CVSS 3.1 vector (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) confirms attack vector is adjacent network, with low attack complexity, no privileges required, and high integrity impact. CWE-306 (Missing Authentication for Critical Function) is identified as the primary weakness. A fix is available via GitHub pull request 43.

Official resources

2026-05-26