CVE-2026-25930
Insecure Direct Object Reference in OpenEMR Layout-Based Forms
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25930 is a moderate severity vulnerability in OpenEMR versions prior to 8.0.0 affecting the Layout-Based Form (LBF) printable view endpoint. The vulnerability occurs because the endpoint accepts formid, visitid, and optionally patientid parameters from user requests without verifying that these IDs belong to a patient or encounter the authenticated user is authorized to access.'}, {'type': 'paragraph', 'content': "This lack of access control allows an authenticated user with LBF access to enumerate or guess valid form and visit IDs of other patients and retrieve their encounter forms, exposing sensitive protected health information (PHI). Technically, the system does not perform authorization checks to ensure the requested form belongs to the current user's authorized patient or encounter, resulting in an Insecure Direct Object Reference (IDOR) vulnerability."}, {'type': 'paragraph', 'content': "An attacker can exploit this by logging in with LBF access, guessing valid formid and visitid values for other patients, and making a request to the printable endpoint to view or print those patients' forms."}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive protected health information (PHI) by allowing authenticated users with LBF access to view or print encounter forms of any patient, not just those they are authorized to access.
The impact includes a breach of patient confidentiality and privacy, potentially exposing sensitive medical data to unauthorized personnel.
Because the attack complexity is low and only low privileges are required, the risk of exploitation is significant in environments where multiple users have LBF access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the Layout-Based Form (LBF) printable view endpoint with manipulated parameters to see if unauthorized patient forms are accessible.'}, {'type': 'paragraph', 'content': 'Specifically, an authenticated user with LBF access can try to enumerate or guess valid form IDs and visit IDs of other patients and make GET requests to the endpoint `interface/forms/LBF/printable.php` with these parameters.'}, {'type': 'paragraph', 'content': 'If the server returns form content or PDFs for patients the user should not have access to, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'A sample command to test this could be a curl request like:'}, {'type': 'list_item', 'content': 'curl -i -b cookies.txt "https://<openemr-server>/interface/forms/LBF/printable.php?formid=<guessed_formid>&visitid=<guessed_visitid>"'}, {'type': 'paragraph', 'content': 'Here, `cookies.txt` contains authentication cookies for a user with LBF access. By changing `formid` and `visitid` values to those of other patients, you can check if unauthorized data is returned.'}, {'type': 'paragraph', 'content': 'The expected secure behavior is a 403 Forbidden or 404 Not Found response when accessing forms not authorized to the user.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, upgrade OpenEMR to version 8.0.0 or later where the issue is fixed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, restrict access to the LBF printable view endpoint to only trusted users and monitor access logs for suspicious activity.'}, {'type': 'paragraph', 'content': 'Additionally, implement network-level controls such as firewall rules to limit access to authenticated users with proper authorization.'}, {'type': 'paragraph', 'content': "Review and apply the patch that enforces authorization checks by verifying that the requested form belongs to the authenticated user's patient and encounter session."}, {'type': 'list_item', 'content': 'Ensure that the patient ID and visit ID are derived from the authenticated session rather than user-supplied parameters.'}, {'type': 'list_item', 'content': 'Log and audit any unauthorized access attempts to detect exploitation attempts.'}] [2]