What is GHSA-c82x-f4xr-qv33?

GHSA-c82x-f4xr-qv33 is a security advisory published by GitHub Security Advisories with Medium severity. epa4all-client: Unauthenticated REST API for Patient Record Writes

Which CVE IDs does GHSA-c82x-f4xr-qv33 cover?

GHSA-c82x-f4xr-qv33 covers the following CVE IDs: CVE-2026-47672. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-c82x-f4xr-qv33?

GHSA-c82x-f4xr-qv33 has a CVSS v3 base score of 6.5, published by GitHub Security Advisories.

Which products are affected by GHSA-c82x-f4xr-qv33?

GHSA-c82x-f4xr-qv33 affects 1 product, including: maven/com.oviva.telematik:epa4all-rest-service:\u003c= 1.2.4.

GHSA-c82x-f4xr-qv33MediumCVSS 6.5

epa4all-client: Unauthenticated REST API for Patient Record Writes

Vendor

GitHub Security Advisories

Published

June 4, 2026

Last Modified

June 4, 2026

🔗 CVE IDs covered (1)

CVE-2026-47672 →

📋 Description

Impact

Any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured deployment (e.g., following the production Docker example in the README), this is exploitable from the local network without credentials.

Patches

Workarounds

Use network policies or proxies to enforce service-to-service authentication via e.g. mTLS.

run the service in an isolated network namespace e.g. as Kubernetes sidecar
service-mesh with corresponding policies

References

MS-OVIVA-EPA4ALL-8b2af7

Credits

Machine Spirits (contact@machinespirits.de)

Dr. rer. nat. Simon Weber
Dipl.-Inf. Volker Schönefeld
Chiara Fliegner

🎯 Affected products1

maven/com.oviva.telematik:epa4all-rest-service:<= 1.2.4