SYSTEMS NOMINAL THREAT LEVEL: ELEVATED 2 ACTIVE ADVISORIES
Tue, 28 Apr 2026 20:51:02 UTC
PENNAME.ORG
HEALTHCARE INFORMATION SECURITY PORTAL

Serving the healthcare infosec community since MMXXV  |  HIPAA · HITECH · FDA · OCR · Zero Trust · Medical Device Security

!! ALERT !!
[2026-04-28] PENNAME.ORG: PENNAME.ORG goes Live!
CRITICAL CVE-2026-3041 2026-04-26

RCE in Epic MyChart authentication module

vendor:Epic Systems product:MyChart cvss:9.8 categories:EHR, authentication

Summary

A vulnerability in the SAML assertion handling of Epic’s patient portal allows pre-authentication remote code execution against affected versions.

Affected versions

  • MyChart 10.4.x prior to patch 10.4.7
  • MyChart 10.5.x prior to patch 10.5.3

Impact

The bug is straightforward to exploit, requires no user interaction, and applies to instances exposed to the internet — which, in practice, is most of them. Successful exploitation grants code execution as the application service account.

Mitigation

  1. Apply Epic vendor-supplied patches immediately.
  2. Restrict patient portal exposure to known IP ranges where feasible.
  3. Review web server logs for malformed SAML assertions over the past 90 days.

References

  • Epic Systems security bulletin (vendor portal, login required)
  • CISA AA26-117A

-- EOF --