The vulnerability in epa4all-client causes the library to ignore the result of the ECDSA signature verification step. Because the boolean return value from Signature.verify() is discarded, the method always returns true for any structurally valid signature. This flaw allows an attacker to forge a signature that will be considered valid by the client, potentially enabling unauthorized access or tampering with signed data. The weakness is classified as CWE‑295, certificate and public key validation error, indicating a serious failure in cryptographic validation.

The issue affects all releases of the epa4all-client Java library from the OVIVA Telematik Infrastructure team that are earlier than version 1.2.1. Vulnerable instances include com.oviva.telematik:epa4all-client and oviva‑ag:epa4all-client as identified by the CNA. Any deployment that incorporates these versions and relies on signature verification for trust decisions is affected.

With a CVSS score of 8.1, the vulnerability is considered High severity. The EPSS score is not available, so an exact exploitation probability cannot be quantified, but the lack of signature validation indicates that exploitation is feasible if an attacker can supply a forged signature as part of a signed transaction or message. This flaw is not listed in the CISA KEV catalog, yet the potential to subvert security controls makes it a critical concern. The attack vector is inferred to be local or remote access to the system where the library is executed, as the flaw resides in the client code that processes incoming signed data.