CVE-2026-47672

Description

### Impact Any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured deployment (e.g., following the production Docker example in the README), this is exploitable from the local network without credentials. ### Patches - [#43](https://github.com/oviva-ag/epa4all-client/pull/43) ### Workarounds Use network policies or proxies to enforce service-to-service authentication via e.g. mTLS. - run the service in an isolated network namespace e.g. as Kubernetes sidecar - service-mesh with corresponding policies ### References - MS-OVIVA-EPA4ALL-8b2af7 ### Credits [Machine Spirits](https://machinespirits.com/) ([[email protected]](mailto:[email protected])) - Dr. rer. nat. Simon Weber - Dipl.-Inf. Volker Schönefeld - Chiara Fliegner

How to fix CVE-2026-47672

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2026-47672 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47672.

Affected packages (1)

• from 0, <= 1.2.4

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-47672
• PATCHgithub.com/oviva-ag/epa4all-client
• WEBgithub.com/oviva-ag/epa4all-client/pull/43
• WEBgithub.com/oviva-ag/epa4all-client/security/advisories/GHSA-c82x-f4xr-qv33