Vulnerabilities ›

CVE-2026-25147

High

CWE-639 — Weakness Type

                    Published: Feb 27, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.1

🔗 NVD Official

📄 Description (English)

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in `portal/portal_payment.php`, the patient id used for the page is taken from the request (`$pid = $_REQUEST['pid'] ?? $pid` and `$pid = ($_REQUEST['hidden_patient_code'] ?? null) > 0 ? $_REQUEST['hidden_patient_code'] : $pid`) instead of being fixed to the authenticated portal user. The portal session already has a valid `$pid` for the logged-in patient. Overwriting it with user-supplied values and using it without authorization allows a portal user to view and interact with another patient's demographics, invoices, and payment history—horizontal privilege escalation and IDOR. Version 8.0.0 contains a fix for the issue.

🤖 AI Executive Summary

OpenEMR versions prior to 8.0.0 contain an Insecure Direct Object Reference (IDOR) vulnerability in the patient portal payment page that allows authenticated users to access other patients' records by manipulating the patient ID parameter. This horizontal privilege escalation enables unauthorized viewing and interaction with other patients' demographics, invoices, and payment history.

📄 Description (Arabic)

تحتوي نسخ OpenEMR السابقة للإصدار 8.0.0 على ثغرة IDOR في صفحة دفع بوابة المريض حيث يتم أخذ معرف المريض من طلب المستخدم بدلاً من التحقق من هوية المستخدم المصرح. يسمح هذا للمستخدمين المصرحين بالوصول إلى سجلات المرضى الآخرين وعرض البيانات الديموغرافية والفواتير وسجل الدفع.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 9, 2026 22:20

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

healthcare government

🎯 MITRE ATT&CK Techniques

T1078.001 T1548.001 T1555.003 T1530

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Upgrade OpenEMR to version 8.0.0 or later immediately. Implement strict server-side validation to ensure authenticated users can only access their own patient records by validating the patient ID against the authenticated session user. Apply input validation and authorization checks on all patient ID parameters in portal_payment.php and similar pages.

🔧 خطوات المعالجة (العربية)

قم بترقية OpenEMR إلى الإصدار 8.0.0 أو أحدث فوراً. قم بتطبيق التحقق الصارم من جانب الخادم للتأكد من أن المستخدمين المصرحين يمكنهم الوصول فقط إلى سجلاتهم الخاصة بالتحقق من معرف المريض مقابل مستخدم جلسة العمل المصرح. طبق التحقق من المدخلات وفحوصات التفويض على جميع معاملات معرف المريض في portal_payment.php والصفحات المشابهة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 5.2.1 5.3.1

🔵 SAMA CSF

AC-2 AC-3 AC-6 SI-10

🟡 ISO 27001:2022

A.9.1.1 A.9.2.1 A.9.4.1 A.14.2.1

🔗 References & Sources 2

🔗

https://github.com/openemr/openemr/commit/d6ab3cd0b621b19b942cf49d2db2026e288aa214

security-advisories@github.com

🔗

https://github.com/openemr/openemr/security/advisories/GHSA-mwmw-qxv3-8whh

security-advisories@github.com

📊 CVSS Score

7.1

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.1

CWECWE-639

EPSS0.03%

Exploit No

Patch ✓ Yes

Published 2026-02-27

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-639

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-25147

💬 Comments

Introduce Yourself

Sign In Required