TLS Vulnerability in epa4all-client Java Client by oviva
CVE-2026-45575

7.4HIGH

Key Information:

Vendor: Oviva-ag
Status: Epa4all-client
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-45575?

The epa4all-client, a Java Client for the epa4all / ePA 3.0 within the Telematik Infrastruktur, is susceptible to man-in-the-middle (MITM) attacks. Attackers capable of intercepting the TLS connection between the client and the identity provider (IDP) can replace the legitimate discovery document with a malicious one. This spoofed document can redirect critical URLs to those controlled by the attacker. Consequently, the client may unintentionally encrypt and transmit sensitive authentication information to the attacker, jeopardizing user credentials and security. The vulnerability has been addressed in version 1.2.2.

Affected Version(s)

epa4all-client < 1.2.2

References

https://github.com/oviva-ag/epa4all-client/security/advis...

x_refsource_CONFIRM

https://github.com/oviva-ag/epa4all-client/pull/36

x_refsource_MISC

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 12, 2026

CVE-2026-45575 Data

JSON

Oviva-ag

What is CVE-2026-45575?

Affected Version(s)

References

CVSS V3.1

Timeline