epa4all-client: VAU Signature bypass_CVE-2026-44900

8.1 / 10

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.1, in SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify(). The method performs certificate chain validation, OCSP check, and signature algorithm setup, but never checks whether the signature actually matches. For any structurally valid signature, it returns true. This vulnerability is fixed in 1.2.1.

Basic Information

ID CVE-2026-44900

Source GitHub_M

Published May 26, 2026 at 21:04

Affected Product

Vendor oviva-ag

Product epa4all-client

Version < 1.2.1

Affected Versions oviva-ag epa4all-client < 1.2.1
com.oviva.telematik epa4all-client < 1.2.1

CWE Classification

CWE-295

References

{
    "lastseen": "",
    "description": "epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.1, in  SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify(). The method performs certificate chain validation, OCSP check, and signature algorithm setup, but never checks whether the signature actually matches. For any structurally valid signature, it returns true.  This vulnerability is fixed in 1.2.1.",
    "published": "2026-05-26T21:04:53.961Z",
    "modified": "2026-05-26T21:04:53.961Z",
    "type": "cve",
    "title": "epa4all-client: VAU Signature bypass",
    "source": "GitHub_M",
    "references": "https://github.com/oviva-ag/epa4all-client/security/advisories/GHSA-g8r3-5hwf-qp96\nhttps://github.com/oviva-ag/epa4all-client/pull/34",
    "id": "CVE-2026-44900",
    "bulletinFamily": "",
    "cwe": [
        "CWE-295"
    ],
    "cvelist": null,
    "sourceData": "oviva-ag epa4all-client < 1.2.1\ncom.oviva.telematik epa4all-client < 1.2.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "epa4all-client",
    "version": "< 1.2.1",
    "vendor": "oviva-ag",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}