CVE Catalog

CVE-2026-45574

High
Published: Translated: NVD NIST

Summary

ePA4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to version 1.2.2, an attacker on the network path could present any TLS certificate and intercept all SOAP traffic, including patient identifiers and SMC-B card operations.

Risk Assessment

This vulnerability exposes the organization to the interception of sensitive patient data and authorization operations, potentially leading to serious privacy and security breaches.

Recommendation

It is recommended to upgrade to version 1.2.2 or later to mitigate this vulnerability.

Original NVD description (English source)

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This includes patient identifiers (KVNR), SMC-B card operations (authentication, signing), document content, and credential exchanges. This vulnerability is fixed in 1.2.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS