CVE-2026-45575
HighSummary
The vulnerability in epa4all-client before version 1.2.2 allows an attacker to perform a MITM attack on the TLS connection between the client and the IDP. The attacker can substitute a forged discovery document, redirecting data to URLs controlled by them.
Risk Assessment
The organization is at risk of theft of signed authentication materials, which could lead to unauthorized access to systems. If exploited, this vulnerability allows the attacker to take control of the authentication process.
Recommendation
It is recommended to update epa4all-client to version 1.2.2 or later to mitigate this vulnerability. Additionally, monitoring TLS connections for potential MITM attacks is advisable.
Original NVD description (English source)
epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker who can MITM the TLS connection between the client and the IDP (within the TI network) can substitute a forged discovery document. The forged document redirects uri_puk_idp_enc and uri_puk_idp_sig to attacker-controlled URLs. The client then encrypts the SMC-B-signed challenge response to the attacker's encryption key and POSTs it to the attacker's auth endpoint. This captures the signed authentication material. This vulnerability is fixed in 1.2.2.

