What is GHSA-5hhf-xmfx-4vvr?

GHSA-5hhf-xmfx-4vvr is a security advisory published by GitHub Security Advisories with High severity. epa4all-client: TLS Certificate Validation Disabled in Production

Which CVE IDs does GHSA-5hhf-xmfx-4vvr cover?

GHSA-5hhf-xmfx-4vvr covers the following CVE IDs: CVE-2026-45574. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-5hhf-xmfx-4vvr?

GHSA-5hhf-xmfx-4vvr has a CVSS v3 base score of 8.1, published by GitHub Security Advisories.

Which products are affected by GHSA-5hhf-xmfx-4vvr?

GHSA-5hhf-xmfx-4vvr affects 1 product, including: maven/com.oviva.telematik:epa4all-client:\u003c 1.2.2.

GHSA-5hhf-xmfx-4vvrHighCVSS 8.1

epa4all-client: TLS Certificate Validation Disabled in Production

Vendor

GitHub Security Advisories

Published

May 15, 2026

Last Modified

May 15, 2026

🔗 CVE IDs covered (1)

CVE-2026-45574 →

📋 Description

### Impact An attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This includes patient identifiers (KVNR), SMC-B card operations (authentication, signing), document content, and credential exchanges. ### Patches [#36](https://github.com/oviva-ag/epa4all-client/pull/36) ### Workarounds Use the library directly instead of the REST wrapper. ### Resources - MS-OVIVA-EPA4ALL-771a78 ### Credits [Machine Spirits](https://machinespirits.com/) ([contact@machinespirits.de](mailto:contact@machinespirits.de)) - Dr. rer. nat. Simon Weber - Dipl.-Inf. Volker Schönefeld - Chiara Fliegner

🎯 Affected products1

maven/com.oviva.telematik:epa4all-client:< 1.2.2

🔗 CVE IDs covered (1)

📋 Description

🎯 Affected products1

🔗 References (5)