{"id":"CVE-2026-45575","summary":"epa4all-client: Improper Verification of Cryptographic Signature","details":"epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker who can MITM the TLS connection between the client and the IDP (within the TI network) can substitute a forged discovery document. The forged document redirects uri_puk_idp_enc and uri_puk_idp_sig to attacker-controlled URLs. The client then encrypts the SMC-B-signed challenge response to the attacker's encryption key and POSTs it to the attacker's auth endpoint. This captures the signed authentication material. This vulnerability is fixed in 1.2.2.","aliases":["GHSA-gqx7-6552-67hf"],"modified":"2026-07-10T21:02:04.115979Z","published":"2026-05-26T21:01:51.745Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-347"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45575.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45575.json"},{"type":"ADVISORY","url":"https://github.com/oviva-ag/epa4all-client/security/advisories/GHSA-gqx7-6552-67hf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45575"},{"type":"FIX","url":"https://github.com/oviva-ag/epa4all-client/pull/36"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/oviva-ag/epa4all-client","events":[{"introduced":"0"},{"fixed":"9111d6fbb939007036a7f74b2a93bb278cb5af32"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"1.2.2"}]}}],"versions":["v1.2.1","v1.2.0","v1.1.1-rc.0","v1.1.1","v1.1.0","v1.0.4-rc.1","v1.0.3-rc.2","v1.0.3","v1.0.2","v1.0.1","v1.0.0","v0.0.9","v0.0.8","epa4all-client/v0.0.3-rc.0","v0.0.7","v0.0.6","v0.0.5","v0.0.4","epa4all-client/v0.0.2-rc.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45575.json","vanir_signatures_modified":"2026-07-10T21:02:04Z","vanir_signatures":[{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"threshold":0.9,"line_hashes":["93655214730910374169778299484943661088","247041576309434056171462451070596075233","279748426418274630918796596088725251359","73147070783555932699966655388025965842","63350609916595446054537155433056735718","42365531878794908540268109048979143475","251161516542487107919838102796474675457","130967313401871873102361911009405772870","103389258451295446464458342622404286872"]},"signature_type":"Line","signature_version":"v1","target":{"file":"epa4all-client/src/test/java/com/oviva/telematik/epa4all/client/internal/TestKonnektors.java"},"id":"CVE-2026-45575-085c7e40","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"function_hash":"65533956755414704057849188521937871634","length":785},"signature_type":"Function","signature_version":"v1","target":{"function":"riseKonnektor_RU","file":"epa4all-client/src/test/java/com/oviva/telematik/epa4all/client/internal/TestKonnektors.java"},"id":"CVE-2026-45575-0cc0d346","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"threshold":0.9,"line_hashes":["232268433291172222188747555874337627960","304025663052756883702026117384007015936","195482063431509868683579423961730655379","18771879003508328797566196118192236715","231369826216463314713621370645709107411","323562690367241490271027545257624293666","339727548241255795513003463790019132948","323758608758077905586652302198514904926","159209879460303090539239599243262736818","95326169824921493242753784224361534634","70687320076843672737982242131923076436","281242311547885323003346524783220613302"]},"signature_type":"Line","signature_version":"v1","target":{"file":"epa4all-client/src/test/java/com/oviva/telematik/epa4all/client/internal/Epa4AllClientFactoryTest.java"},"id":"CVE-2026-45575-17ba9b8d","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"threshold":0.9,"line_hashes":["100837329045130405226452481187109985575","236874327950328391236700499060300793586","193534966578592498581844286778196550549","56174905719591512615748900103697965893","298331201640048256353622362261478492556","48954756258959114351911195059101536752","227798745546386902626022405328766604236","328567595282861350986556148122162418537","90023355143140392237890918438883171020"]},"signature_type":"Line","signature_version":"v1","target":{"file":"konnektor/konnektor-client/src/main/java/com/oviva/epa/client/konn/internal/KonnektorConnectionFactoryImpl.java"},"id":"CVE-2026-45575-198fcef9","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"threshold":0.9,"line_hashes":["322419011157239061859302909036466043446","225349019554063014049055517959522705067","248687332602994773072618146046011753367","199850952882745750770799687611152177995","127532392603609602916293223450321348384","88207484478585394245793707040308652911","258082093447615714732242350024838898202","126474191323829797738154101889907836321","325122239337701427926248544338689845822","299391322156961065033413440751804049367","132298085479714154988106321780774911243","317454577499036473484606306312897008748","90243424321323980266142889332695490487","144647606383822625523178707486458799692","62060998096826810160782839361109178742","181212544826370668965195990637223977238","315523309718470879375538694483684331601","222811388788067103414696894918120438984"]},"signature_type":"Line","signature_version":"v1","target":{"file":"epa4all-rest-service/src/main/java/com/oviva/telematik/epa4all/restservice/Main.java"},"id":"CVE-2026-45575-237bec0f","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"threshold":0.9,"line_hashes":["219664608548134457964861759866128862979","107019611088660400489995281151299641537","176932820488045676627303539537721822161","292775052762062094774548508846410849406","178967097792425825022736269352513082616","51653739027224871068108728679963936288","179695444897719554613258812399185350715","153014089514776317935760761925314088474","294090673083234057078239854513613941276","163505500324069890636655990271312176453","143501122089972672517399461087422361940","198774503619233340004484548382623815167","294549706262438472533850717583559484734","193263041006807267749183116439961647048","321238982807542967671976125405719310942","85904898691142141786285886083710163086","254732421242855890594544604718022448039","171256968019373670377893788017183008522","269075728965766754555843999234864213085"]},"signature_type":"Line","signature_version":"v1","target":{"file":"konnektor/konnektor-client/src/main/java/com/oviva/epa/client/konn/KonnektorConnectionFactoryBuilder.java"},"id":"CVE-2026-45575-2455cb05","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"function_hash":"11358662525448397003218493506997333422","length":259},"signature_type":"Function","signature_version":"v1","target":{"function":"buildAuthorizationService","file":"epa4all-client/src/main/java/com/oviva/telematik/epa4all/client/internal/Epa4AllClientFactory.java"},"id":"CVE-2026-45575-293e7fc0","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"function_hash":"24847963730666375769646832336873133056","length":505},"signature_type":"Function","signature_version":"v1","target":{"function":"buildService","file":"konnektor/konnektor-client/src/test/java/com/oviva/epa/client/KonnektorServiceAcceptanceTest.java"},"id":"CVE-2026-45575-30e1d70e","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"function_hash":"116736058735131513774111897993933349000","length":251},"signature_type":"Function","signature_version":"v1","target":{"function":"parseFromJwt","file":"epa4all-vau-client/src/main/java/com/oviva/telematik/vau/epa4all/client/authz/internal/OidcClient.java"},"id":"CVE-2026-45575-33f25f03","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"threshold":0.9,"line_hashes":["127495040886454071936750064433970295350","137051841002050970655366400056188529307","68237578697409332219829649248752183488","137484720876978885953032041327219194959"]},"signature_type":"Line","signature_version":"v1","target":{"file":"konnektor/konnektor-client/src/main/java/com/oviva/epa/client/konn/internal/KonnektorConnectionConfiguration.java"},"id":"CVE-2026-45575-3b12152c","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"function_hash":"101425182976842356309944850931458216341","length":253},"signature_type":"Function","signature_version":"v1","target":{"function":"buildFactory","file":"epa4all-rest-service/src/main/java/com/oviva/telematik/epa4all/restservice/Main.java"},"id":"CVE-2026-45575-535fb022","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"function_hash":"161298085069760128706605998666796013013","length":467},"signature_type":"Function","signature_version":"v1","target":{"function":"build","file":"konnektor/konnektor-client/src/main/java/com/oviva/epa/client/konn/KonnektorConnectionFactoryBuilder.java"},"id":"CVE-2026-45575-5b0aa5bc","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"threshold":0.9,"line_hashes":["49552079176617262730687323738704339709","109076571271794851900451785406904461284","313462367555700460528103497998191950849","244856434861500321763856302198691838172","198823142683984078471316076349943594215","105603057193605669786234616697658263007","206366031109195213937990202632833104497","103389258451295446464458342622404286872"]},"signature_type":"Line","signature_version":"v1","target":{"file":"konnektor/konnektor-client/src/test/java/com/oviva/epa/client/KonnektorServiceAcceptanceTest.java"},"id":"CVE-2026-45575-6cd8b187","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"function_hash":"264642707370366196647894678131848741771","length":194},"signature_type":"Function","signature_version":"v1","target":{"function":"tlsClientParameters","file":"konnektor/konnektor-client/src/main/java/com/oviva/epa/client/konn/internal/KonnektorConnectionFactoryImpl.java"},"id":"CVE-2026-45575-70eca0fe","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"function_hash":"185523228105892290683706170743503044797","length":193},"signature_type":"Function","signature_version":"v1","target":{"function":"buildOuterHttpClient","file":"epa4all-client/src/main/java/com/oviva/telematik/epa4all/client/internal/Epa4AllClientFactory.java"},"id":"CVE-2026-45575-732495b1","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"threshold":0.9,"line_hashes":["1350167161336753391613896377320474615","130291517330892764690653695938560760123","178878926794126128702430800422418471695","82181633718187287103365428595629591212","216298615495393391695069663706063866853","247867264209108517681527942571921117224","81423146587521945319225211723171314810","167059087938252289405191751155185314820","21499657209241894175480095405469172913","209868178903247277435734354365466745108","156031589970048572652691974570385365025","5489540736391588203737475033328835638","276567304900241198908688152979377581299","86156465250974242565084947048225038737","161885484008376506040245660225064701293","72058370626395773355131890827564760786","97304775600500370210941288501799534875","20062748776801240762381267316146899346","149212801897637767771279352929015358392","326941612404760914647206929610143854294","51292692766903467078896943054520495911","251225794245305307993513051167699595014","20127464761303843216931768217714029423","261911678744367453066520983432839589272","25674940711911851327861290268999262535","124037319362322412695234845046604908560"]},"signature_type":"Line","signature_version":"v1","target":{"file":"epa4all-vau-client/src/main/java/com/oviva/telematik/vau/epa4all/client/authz/internal/OidcClient.java"},"id":"CVE-2026-45575-9be44acf","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"function_hash":"91313310044899691902949071617554499921","length":639},"signature_type":"Function","signature_version":"v1","target":{"function":"parseResponse","file":"epa4all-vau-client/src/main/java/com/oviva/telematik/vau/epa4all/client/authz/internal/OidcClient.java"},"id":"CVE-2026-45575-afd6e38e","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"function_hash":"12957472144119735073388277929026774750","length":521},"signature_type":"Function","signature_version":"v1","target":{"function":"loadKeys","file":"epa4all-rest-service/src/main/java/com/oviva/telematik/epa4all/restservice/KeyStores.java"},"id":"CVE-2026-45575-b6b6ef15","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"function_hash":"64098333997216756898788449083813752905","length":677},"signature_type":"Function","signature_version":"v1","target":{"function":"create","file":"epa4all-client/src/main/java/com/oviva/telematik/epa4all/client/internal/Epa4AllClientFactory.java"},"id":"CVE-2026-45575-c642b8df","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"function_hash":"83468373610085975351068694040819236874","length":287},"signature_type":"Function","signature_version":"v1","target":{"function":"buildKonnektorService","file":"epa4all-rest-service/src/main/java/com/oviva/telematik/epa4all/restservice/Main.java"},"id":"CVE-2026-45575-d50c79c7","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"threshold":0.9,"line_hashes":["327670526268723465824472702938603899072","106126130664992543261077280317904817539","209760193576815783449873148473377105460","166743245877526646377080597866107889945","303505974478430421021784232868576340093","72805104071498781543717306985390995188","188894733857544782081847125225955038655","307614299967693336833171078998970108036","128669174289800584438358101000333800363","3106945261839000960519937790684595572","331323698222623277278785114482681990762","241106754930660710152110026598482701954","204505518871628790949540771312734564429"]},"signature_type":"Line","signature_version":"v1","target":{"file":"epa4all-client/src/main/java/com/oviva/telematik/epa4all/client/internal/TelematikTrustRoots.java"},"id":"CVE-2026-45575-d646e180","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"threshold":0.9,"line_hashes":["241976185596481330600484414654438235068","210495624303604414969076259587437051153","111309898617384867689992391582790500063","76995853499675922638228163219352358431"]},"signature_type":"Line","signature_version":"v1","target":{"file":"epa4all-rest-service/src/main/java/com/oviva/telematik/epa4all/restservice/KeyStores.java"},"id":"CVE-2026-45575-d917a281","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"function_hash":"200984395622661505936346284157380269580","length":98},"signature_type":"Function","signature_version":"v1","target":{"function":"trustAllServers","file":"konnektor/konnektor-client/src/main/java/com/oviva/epa/client/konn/KonnektorConnectionFactoryBuilder.java"},"id":"CVE-2026-45575-eae1bdf3","deprecated":false},{"source":"https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32","digest":{"threshold":0.9,"line_hashes":["126692230148766211532787779538036243712","65996726546481773456546024028332040514","180356405103297733012359782407218258303","260060253238325000923588887310143916352","145817139625748677802629415303011176567","251405933505995545406744685362989382459","1831259195317837675591218256125757460","319312251446941811380621157985757632630","249942665374670701717684337192087865030","292291749746178887561531982535677081341","325974188857512238444160807043715847631","303960985172798261329882490792685383006","83695955876916008322044133225736692309","243403566438477880896412656872514361827","334800412791758952032058680082343489161","56296152213000219747863305128103641029","134222074911954578873619427338137601689","306916606156293216881026581067833642299","135131697773382364785688599625970173132","121276065073926628188202092251934487835","129273964291983469312085815632684496218","209111560587486147430030132350189477966","120805664251129599136992092718051775301","140434409932456394628780308806652860216","278233688963010532054173307493321360681","58109921073649509907154281725654007849","165411434340237872879486198784352673989","207610519326173725885901430574128134087","190704310748942126524377192233616572417","180639385112142291489234901959205914688","200835258313913016196200063507492750500"]},"signature_type":"Line","signature_version":"v1","target":{"file":"epa4all-client/src/main/java/com/oviva/telematik/epa4all/client/internal/Epa4AllClientFactory.java"},"id":"CVE-2026-45575-eddcd2ed","deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}