CVE-2026-45575
Improper Verification of Cryptographic Signature in com.oviva.telematik:epa4all-client
Description
### Impact An attacker who can MITM the TLS connection between the client and the IDP (within the TI network) can substitute a forged discovery document. The forged document redirects u ri_puk_idp_enc and uri_puk_idp_sig to attacker-controlled URLs. The client then encrypts the SMC-B-signed challenge response to the attacker's encryption key and POSTs it to the attacker's auth endpoint. This captures the signed authentication material. ### Patches [#36](https://github.com/oviva-ag/epa4all-client/pull/36) ### Workarounds None. ### Resources - MS-OVIVA-EPA4ALL-d453c1 ### Credits [Machine Spirits](https://machinespirits.com/) ([contact@machinespirits.de](mailto:contact@machinespirits.de)) - Dr. rer. nat. Simon Weber - Dipl.-Inf. Volker Schönefeld - Chiara Fliegner
How to fix CVE-2026-45575
To remediate CVE-2026-45575, upgrade the affected package to a fixed version below.
- —upgrade to 1.2.2 or later
Is CVE-2026-45575 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.2.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |