CVE-2026-45575: Improper Verification of Cryptographic Signature in com.oviva.telematik:epa4all-client
(updated )
An attacker who can MITM the TLS connection between the client and the IDP (within the TI network) can substitute a forged discovery document. The forged document redirects u ri_puk_idp_enc and uri_puk_idp_sig to attacker-controlled URLs. The client then encrypts the SMC-B-signed challenge response to the attacker’s encryption key and POSTs it to the attacker’s auth endpoint. This captures the signed authentication material.
References
- github.com/advisories/GHSA-gqx7-6552-67hf
- github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32
- github.com/oviva-ag/epa4all-client/pull/36
- github.com/oviva-ag/epa4all-client/releases/tag/v1.2.2
- github.com/oviva-ag/epa4all-client/security/advisories/GHSA-gqx7-6552-67hf
- nvd.nist.gov/vuln/detail/CVE-2026-45575
Code Behaviors & Features
Detect and mitigate CVE-2026-45575 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →