CVE-2026-45574 – epa4all-client: TLS Certificate Validation Disabled in Production

CVE ID :CVE-2026-45574

Published : May 26, 2026, 10:16 p.m. | 15 minutes ago

Description :epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This includes patient identifiers (KVNR), SMC-B card operations (authentication, signing), document content, and credential exchanges. This vulnerability is fixed in 1.2.2.

Severity: 8.1 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-9607 – itsourcecode Courier Management System parcel_list.php sql injection

CVE-2026-9606 – itsourcecode Courier Management System manage_user.php sql injection

CVE-2026-9605 – GNU libredwg Dwgbmp Utility bits.c bit_read_RC heap-based overflow

CVE-2026-9312 – Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint