The epa4all-client Java application used in the Telematik Infrastruktur for electronic patient records suffers from CWE-306: Missing Authentication for Critical Function. Versions up to 1.2.4 allow any network-reachable actor to write arbitrary documents to any patient's electronic health record accessible via the institution's SMC-B card. This vulnerability is particularly exploitable in misconfigured deployments, such as those following the provided Docker example, where no authentication is enforced on document write operations. The CVSS 3.1 vector indicates the attack requires adjacent network access (AV:A), low attack complexity (AC:L), no privileges (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and no availability impact (A:N).

An attacker with network access to the affected system can write arbitrary documents into any patient's electronic health record without authentication. This compromises the integrity of patient records, potentially leading to misinformation or unauthorized data injection. There is no direct confidentiality or availability impact reported. The vulnerability is medium severity with a CVSS score of 6.5. No known exploits are currently reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, ensure deployments are correctly configured to enforce authentication on critical functions, avoiding default or example configurations that allow unauthenticated access. Restrict network access to trusted entities only and review deployment configurations carefully to prevent exposure of the epa4all-client service to untrusted networks.