CVE Catalog

CVE-2026-44900

High
Published: Translated: NVD NIST

Summary

In versions prior to 1.2.1 of the epa4all client, there is a vulnerability related to ECDSA signature verification. The isTrusted() method does not check if the signature actually matches, leading to false acceptance of valid signatures.

Risk Assessment

Organizations may be exposed to attacks where unauthorized signatures are accepted as valid, potentially leading to unauthorized access or data manipulation.

Recommendation

It is recommended to upgrade to version 1.2.1 or later to eliminate this vulnerability and ensure proper signature verification.

Original NVD description (English source)

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.1, in SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify(). The method performs certificate chain validation, OCSP check, and signature algorithm setup, but never checks whether the signature actually matches. For any structurally valid signature, it returns true. This vulnerability is fixed in 1.2.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS