Description
epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. In 1.2.4 and earlier, any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured deployment (e.g., following the production Docker example in the README), this is exploitable from the local network without credentials.
Published: 2026-05-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The epa4all-client Java client for ePA 3.0 is vulnerable when version 1.2.4 or earlier is deployed. An unauthenticated caller able to reach the REST API can write arbitrary documents into any patient’s electronic health record for that institution. Even without an SMC‑B card, the API permits data modification, directly compromising the integrity and confidentiality of patient information. The weakness is an Authentication Required flaw (CWE‑306).

Affected Systems

The vulnerability affects oviva‑ag’s epa4all-client product for any installation running version 1.2.4 or earlier. Misconfigured deployments such as those illustrated by the project’s Docker example in the README allow the flaw to be exercised from a local network without credentials.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score is not available and the vulnerability is not yet listed in CISA’s KEV catalog. However, the attack requires only local network reachability and does not need user credentials, meaning an attacker inside the same network can exploit the API to tamper health records. Because the flaw directly bypasses authentication checks, the potential impact on patient data integrity is high and the likelihood of exploitation is significant in environments that have left the default configuration exposed.

Generated by OpenCVE AI on May 26, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade epa4all-client to the latest non‑vulnerable release (any version newer than 1.2.4).
  • Restrict network access to the client’s REST API by configuring firewalls or subnet routing so that only trusted hosts can reach it, and block unauthenticated connections from the local network.
  • Enable proper authentication for all write operations, ensuring that API requests validate the caller’s SMC‑B card or an equivalent credential before allowing modifications to patient records.

Generated by OpenCVE AI on May 26, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c82x-f4xr-qv33 epa4all-client: Unauthenticated REST API for Patient Record Writes
History

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Oviva-ag
Oviva-ag epa4all-client
Vendors & Products Oviva-ag
Oviva-ag epa4all-client

Tue, 26 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. In 1.2.4 and earlier, any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured deployment (e.g., following the production Docker example in the README), this is exploitable from the local network without credentials.
Title epa4all-client: Unauthenticated REST API for Patient Record Writes
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Oviva-ag Epa4all-client
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T14:16:18.616Z

Reserved: 2026-05-19T21:10:38.797Z

Link: CVE-2026-47672

cve-icon Vulnrichment

Updated: 2026-05-27T14:16:15.327Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T21:16:41.483

Modified: 2026-06-17T10:54:36.890

Link: CVE-2026-47672

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:08:27Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function