CVE-2026-44900
HighSummary
In versions prior to 1.2.1 of the epa4all client, there is a vulnerability related to ECDSA signature verification. The isTrusted() method does not check if the signature actually matches, leading to false acceptance of valid signatures.
Risk Assessment
Organizations may be exposed to attacks where unauthorized signatures are accepted as valid, potentially leading to unauthorized access or data manipulation.
Recommendation
It is recommended to upgrade to version 1.2.1 or later to eliminate this vulnerability and ensure proper signature verification.
Original NVD description (English source)
epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.1, in SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify(). The method performs certificate chain validation, OCSP check, and signature algorithm setup, but never checks whether the signature actually matches. For any structurally valid signature, it returns true. This vulnerability is fixed in 1.2.1.

