Machine Spirits Logo
All Advisories

Oviva epa4all-rest-service

Unauthenticated REST API for Patient Record Writes

The epa4all-rest-service exposes document write and replace endpoints with no authentication middleware in the handler chain, binds to 0.0.0.0 by default, and takes the target patient's KVNR from the caller. Any caller able to reach the service writes arbitrary documents to any patient's ePA using the institution's SMC-B credentials.

Authored byChiara Fliegner, Volker Schönefeld, Simon WeberDisclosed 2026-05-19Fully disclosed 2026-05-28
SeverityMediumCVSS 6.5CVSS 3.1 VectorAV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NCWECWE-306 (Missing Authentication for Critical Function)ProductOviva epa4all-rest-serviceAffected VersionsAll versions up to and including 1.2.4 (`ghcr.io/oviva-ag/epa4all-rest-service`)Fixed InNo fixed release available.CVECVE-2026-47672GHSAGHSA-c82x-f4xr-qv33

Description

The handler chain wraps routing in cache and error handling, with no authentication layer anywhere in the composition:

Main.java:224-272

new DisableCacheHandler(new BlockingHandler(withErrorHandling(routing)))

View source →

The service binds to 0.0.0.0 by default (Main.java:150), and the production Docker example in the README publishes the port without a localhost binding (-p '8080:8080'), so a default deployment is reachable from the local network. The OpenAPI specification (openapi.yaml) defines zero securitySchemes, and the repository carries no SECURITY.md or documentation requiring network isolation.

The target patient is whatever KVNR the caller supplies; the only check is for null:

Epa4allClientService.java:44

Objects.requireNonNull(insurantId);

View source →

During testing, a single unauthenticated POST to the document endpoint with a synthetic KVNR returned 200 and a document ID, confirming the write reached the patient record path with no credentials in the request:

Unauthenticated write (PoC output, KVNR redacted)

POST /documents  (no Authorization header, no API key)
  insurant_id: X000000000
-> 200 OK
   {"id":"<document-id>"}

View source →

Impact

  • An attacker who can reach the service writes arbitrary documents into any patient's ePA using the institution's SMC-B credentials, with no authentication required. Because the KVNR is caller-controlled, the target is any patient the SMC-B card can act on, not just one.
  • The confidentiality impact is not claimed here (the issue is the write/replace path); the integrity impact is the insertion or replacement of documents in a patient's health record, which a downstream clinician or system may later read as authentic.

Mitigation

No fixed release is available. Oviva recommends enforcing service-to-service authentication (for example mTLS) via network policies or a proxy, and running the service in an isolated network namespace (such as a Kubernetes sidecar or a service mesh with corresponding policies); Oviva added a documentation disclaimer regarding API authorization in pull request #43. Until a release adds authentication, treat the service as an unauthenticated trust boundary: bind it to 127.0.0.1, publish the Docker port only on localhost (-p '127.0.0.1:8080:8080'), and place an authenticating proxy in front of any non-local access.

Defender's Checklist

  • Treat the REST service as unauthenticated.

    No released version adds authentication. Assume any caller that reaches the port can write to patient records, and design the deployment around that.

  • Bind to localhost and publish the port only on localhost.

    Change the bind address from 0.0.0.0 to 127.0.0.1 and use -p '127.0.0.1:8080:8080' in the Docker run, rather than the README's -p '8080:8080'.

  • Put an authenticating proxy in front of any remote access.

    If the service must be reachable beyond localhost, front it with mTLS or a token-checking reverse proxy, and restrict the network path with policies so only the intended caller can reach it.

  • Watch for a release that adds API authentication.

    Pull request #43 adds a documentation note regarding API authorization; no released version adds an authentication check on the document endpoints. Track the project for a release that introduces one and update once available.

Severity Reasoning

AV:AThe attacker must reach the service on the network it binds to. In the default deployment that is the local network segment, an adjacent-network position.AC:LA single request to the document endpoint suffices; no credentials, timing, or environmental conditions.PR:NNo authentication exists on the endpoint, so no privileges are required.UI:NNo user interaction; the attacker calls the API directly.S:UImpact is bounded to the ePA records the service's SMC-B card can act on.C:NThe flaw is scored on the write/replace path; confidentiality impact is not claimed for this finding.I:HArbitrary document writes and replacements into any addressable patient's health record, attributed to the institution's SMC-B identity.A:NNo availability impact.

References

How We Can Help

Who We Are

The security researchers behind this advisory.

Dr. Simon Weber Profile

Dr. rer. nat. Simon Weber

Senior Pentester & MedSec Researcher

I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.

  • PhD on Hospital Cybersecurity
  • Critical vulnerabilities found in hospital systems
  • Alumni of THB MedSec Research Group
  • gematik Security Hero
Volker Schönefeld Profile

Dipl.-Inf. Volker Schönefeld

Senior Application Security Expert

As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.

  • 20+ years as CTO, 50M+ app downloads
  • Architected and secured large-scale IoT fleets
  • Certified Web Exploitation Specialist
  • gematik Security Hero
View Full Team Profiles

Looking for a Penetration Test?

Machine Spirits specializes in security assessments for medical devices and healthcare IT. From MDR penetration testing to C5 cloud compliance, we help MedTech companies meet regulatory requirements.

Get in TouchLearn More About Our Services