logo

Database

Authentication mechanism absence or evasion In com.oviva.telematik:epa4all-rest-service

Description

epa4all-client: Unauthenticated REST API for Patient Record Writes

Impact

Any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured deployment (e.g., following the production Docker example in the README), this is exploitable from the local network without credentials.

Patches

Workarounds

Use network policies or proxies to enforce service-to-service authentication via e.g. mTLS.

    run the service in an isolated network namespace e.g. as Kubernetes sidecar

    service-mesh with corresponding policies

References

    MS-OVIVA-EPA4ALL-8b2af7

Credits

Machine Spirits ([email protected])

    Dr. rer. nat. Simon Weber

    Dipl.-Inf. Volker Schönefeld

    Chiara Fliegner

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2026-476722. NVD-2026-476723. OSV-2026-476724. GHSA-c82x-f4xr-qv335. GCVE-2026-47672

References

1. https://github.com/oviva-ag/epa4all-client/security/advisories/GHSA-c82x-f4xr-qv332. https://github.com/oviva-ag/epa4all-client/pull/43

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.