CVE-2026-45574
epa4all-client: TLS Certificate Validation Disabled in Production
Description
### Impact An attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This includes patient identifiers (KVNR), SMC-B card operations (authentication, signing), document content, and credential exchanges. ### Patches [#36](https://github.com/oviva-ag/epa4all-client/pull/36) ### Workarounds Use the library directly instead of the REST wrapper. ### Resources - MS-OVIVA-EPA4ALL-771a78 ### Credits [Machine Spirits](https://machinespirits.com/) ([contact@machinespirits.de](mailto:contact@machinespirits.de)) - Dr. rer. nat. Simon Weber - Dipl.-Inf. Volker Schönefeld - Chiara Fliegner
How to fix CVE-2026-45574
To remediate CVE-2026-45574, upgrade the affected package to a fixed version below.
- —upgrade to 1.2.2 or later
Is CVE-2026-45574 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.2.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |