CVE-2026-42514
Plaintext OTP Exposure in e-Sushrut API Enables Account Takeover
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: Indian Computer Emergency Response Team (CERT-In)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability involves the exposure of OTPs in plaintext within API responses, which could allow unauthorized access to user accounts through interception.
Such unauthorized access and exposure of sensitive authentication data could lead to non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require protection of personal and authentication data to ensure user privacy and security.
Can you explain this vulnerability to me?
This vulnerability exists in the e-Sushrut system because one-time passwords (OTPs) are exposed in plaintext within API responses.
A remote attacker can exploit this by intercepting these API responses to obtain valid OTPs.
How can this vulnerability impact me? :
If exploited successfully, an attacker could impersonate the targeted user.
This would allow unauthorized access to user accounts on the affected system.
How can this vulnerability impact me? :
If exploited successfully, an attacker could impersonate the targeted user.
This would allow unauthorized access to user accounts on the affected system.
Can you explain this vulnerability to me?
This vulnerability exists in the e-Sushrut system because one-time passwords (OTPs) are exposed in plaintext within API responses.
A remote attacker can exploit this by intercepting these API responses that contain valid OTPs.