Machine Spirits Logo
All Advisories

Oviva epa4all-rest-service

Unauthenticated REST API for Patient Record Writes

The REST service exposes document write and replace endpoints with no authentication. Any caller able to reach the service on the local network can write arbitrary documents to any patient's ePA, using the institution's SMC-B card credentials configured on the service.

This advisory contains limited information during coordinated disclosure. Please check back later for full details.

Authored byChiara Fliegner, Volker Schönefeld, Simon Weber2026-05-19
SeverityMediumCVSS 6.5CVSS 3.1 VectorAV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NCWECWE-306 (Missing Authentication for Critical Function)ProductOviva epa4all-rest-serviceAffected VersionsAll versions up to and including 1.2.4 (`ghcr.io/oviva-ag/epa4all-rest-service`)Fixed InNo fixed release available.CVECVE-2026-47672GHSAGHSA-c82x-f4xr-qv33

Description

Per Oviva's advisory, any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured deployment — for example, following the production Docker example in the README — this is exploitable from the local network without credentials.

Impact

  • An attacker who can reach the service on the local network can write arbitrary documents into any patient's ePA using the institution's SMC-B credentials, with no authentication required.

Mitigation

No fixed release is available. Oviva recommends enforcing service-to-service authentication (for example mTLS) via network policies or a proxy, and running the service in an isolated network namespace (such as a Kubernetes sidecar or a service mesh with corresponding policies). Oviva added a documentation disclaimer regarding API authorization in pull request #43.

References

How We Can Help

Who We Are

The security researchers behind this advisory.

Dr. Simon Weber Profile

Dr. rer. nat. Simon Weber

Senior Pentester & MedSec Researcher

I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.

  • PhD on Hospital Cybersecurity
  • Critical vulnerabilities found in hospital systems
  • Alumni of THB MedSec Research Group
  • gematik Security Hero
Volker Schönefeld Profile

Dipl.-Inf. Volker Schönefeld

Senior Application Security Expert

As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.

  • 20+ years as CTO, 50M+ app downloads
  • Architected and secured large-scale IoT fleets
  • Certified Web Exploitation Specialist
  • gematik Security Hero
View Full Team Profiles

Looking for a Penetration Test?

Machine Spirits specializes in security assessments for medical devices and healthcare IT. From MDR penetration testing to C5 cloud compliance, we help MedTech companies meet regulatory requirements.

Get in TouchLearn More About Our Services