Cyber Resilience

CVE-2026-44900

High

Published: 26 May 2026

Published
26 May 2026
Modified
27 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0012 2.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-44900 is a high-severity Improper Certificate Validation (CWE-295) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

No EU or UK CSIRT advisories indexed for this CVE.

Vulnerability details

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.1, in SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify(). The method performs certificate chain validation, OCSP…

more

check, and signature algorithm setup, but never checks whether the signature actually matches. For any structurally valid signature, it returns true. This vulnerability is fixed in 1.2.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7821Shared CWE-295
CVE-2026-33810Shared CWE-295
CVE-2026-42012Shared CWE-295
CVE-2025-0500Shared CWE-295
CVE-2024-11621Shared CWE-295
CVE-2026-21228Shared CWE-295
CVE-2026-8992Shared CWE-295
CVE-2024-54848Shared CWE-295
CVE-2025-70043Shared CWE-295
CVE-2024-52330Shared CWE-295

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-295

When certificates are used to establish component provenance, the control requires correct certificate validation procedures.

addresses: CWE-295

Mandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates.

addresses: CWE-295

Correct system time is required for proper enforcement of certificate notBefore/notAfter dates and time-based revocation checks.

References