HomeCVE Intelligence › CVE-2026-44900
CVSS 8.1 HIGH Vulnerability

CVE-2026-44900: epa4all-client has a VAU Signature bypass

Impact In SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify(). The method performs certificate chain validation, OCSP check…

8.1CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-44900
Vendormaven
Affected Productcom.oviva.telematik:epa4all-client
Vulnerability TypeVulnerability
CVSS Score8.1 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Impact

In SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify(). The method performs certificate chain validation, OCSP check, and signature algorithm setup, but never checks whether the signature actually matches. For any structurally valid signature, it returns true.

Patches

Patched in [#34](https://github.com/oviva-ag/epa4all-client/pull/34).

Workarounds

None.

Resources

• [MS-OVIVA-EPA4ALL-d76aec](https://www.machinespirits.com/advisory/d76aec/)

Credits [Machine Spirits](https://machinespirits.com) (contact@machinespirits.de)

• Dr. rer. nat. Simon Weber
• Dipl.-Inf. Volker Schönefeld
• Chiara Fliegner

🎯 Known Indicators of Compromise

{"type":"url","value":"https://github.com/oviva-ag/epa4all-client/pull/34).","confidence_score":0.82,"first_seen":"2026-05-09","source_count":1} {"type":"url","value":"https://www.machinespirits.com/advisory/d76aec/)","confidence_score":0.82,"first_seen":"2026-05-09","source_count":1} {"type":"url","value":"https://machinespirits.com)","confidence_score":0.82,"first_seen":"2026-05-09","source_count":1} {"type":"domain","value":"www.machinespirits.com","confidence_score":0.75,"first_seen":"2026-05-09","source_count":1} {"type":"domain","value":"machinespirits.com","confidence_score":0.75,"first_seen":"2026-05-09","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-44900 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence