Machine Spirits Logo
All Advisories

Oviva epa4all-client

TLS Certificate Validation Disabled in Production

The REST wrapper around epa4all-client runs with TLS certificate validation disabled. An attacker on the network path between the ePA service and the Konnektor can present any certificate — self-signed, expired, or with the wrong common name — and intercept the SOAP traffic in cleartext.

This advisory contains limited information during coordinated disclosure. Please check back later for full details.

Authored byChiara Fliegner, Volker Schönefeld, Simon Weber2026-05-11
SeverityHighCVSS 8.1CVSS 3.1 VectorAV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NCWECWE-295 (Improper Certificate Validation)ProductOviva epa4all-clientAffected VersionsAll versions before 1.2.2Fixed In1.2.2 (incorporates pull request #36)CVEPendingGHSAGHSA-5hhf-xmfx-4vvr

Description

Per Oviva's advisory, an attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This includes patient identifiers (KVNR), SMC-B card operations (authentication and signing), document content, and credential exchanges.

Impact

  • A network attacker between the ePA service and the Konnektor can read and tamper with the entire SOAP exchange: patient identifiers (KVNR), SMC-B authentication and signing operations, document content, and credentials.

Mitigation

Update epa4all-client to 1.2.2 or later. As a workaround for affected versions, use the library directly instead of the REST wrapper.

References

How We Can Help

Who We Are

The security researchers behind this advisory.

Dr. Simon Weber Profile

Dr. rer. nat. Simon Weber

Senior Pentester & MedSec Researcher

I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.

  • PhD on Hospital Cybersecurity
  • Critical vulnerabilities found in hospital systems
  • Alumni of THB MedSec Research Group
  • gematik Security Hero
Volker Schönefeld Profile

Dipl.-Inf. Volker Schönefeld

Senior Application Security Expert

As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.

  • 20+ years as CTO, 50M+ app downloads
  • Architected and secured large-scale IoT fleets
  • Certified Web Exploitation Specialist
  • gematik Security Hero
View Full Team Profiles

Looking for a Penetration Test?

Machine Spirits specializes in security assessments for medical devices and healthcare IT. From MDR penetration testing to C5 cloud compliance, we help MedTech companies meet regulatory requirements.

Get in TouchLearn More About Our Services