GHSA-g8r3-5hwf-qp96

Source

https://github.com/advisories/GHSA-g8r3-5hwf-qp96

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g8r3-5hwf-qp96/GHSA-g8r3-5hwf-qp96.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g8r3-5hwf-qp96

Aliases

CVE-2026-44900

Published

2026-05-08T23:47:12Z

Modified

2026-05-09T00:04:03.741681Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

epa4all-client has a VAU Signature bypass

Details

Impact

In SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify(). The method performs certificate chain validation, OCSP check, and signature algorithm setup, but never checks whether the signature actually matches. For any structurally valid signature, it returns true.

Patches

Patched in #34.

Workarounds

None.

Resources

MS-OVIVA-EPA4ALL-d76aec

Credits

Machine Spirits (contact@machinespirits.de) - Dr. rer. nat. Simon Weber - Dipl.-Inf. Volker Schönefeld - Chiara Fliegner

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T23:47:12Z",
    "cwe_ids": [
        "CWE-295"
    ],
    "severity": "HIGH",
    "nvd_published_at": null
}

References

Affected packages

Maven / com.oviva.telematik:epa4all-client

Package

Name: com.oviva.telematik:epa4all-client; View open source insights on deps.dev
Purl: pkg:maven/com.oviva.telematik/epa4all-client

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.1

Affected versions

0.*

0.0.2-rc.0

0.0.4

0.0.5

0.0.7

0.0.8

1.*

1.0.0

1.0.2

1.0.3

1.1.0

1.1.1

1.2.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g8r3-5hwf-qp96/GHSA-g8r3-5hwf-qp96.json"

last_known_affected_version_range

"<= 1.2.0"