CVE-2026-25930
Received Received - Intake
Insecure Direct Object Reference in OpenEMR Layout-Based Forms

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Layout-Based Form (LBF) printable view accepts `formid` and `visitid` (or `patientid`) from the request and does not verify that the form belongs to the current user’s authorized patient/encounter. An authenticated user with LBF access can enumerate form IDs and view or print any patient’s encounter forms. Version 8.0.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25930
EUVD
EUVD-2026-8717
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25930 is a moderate severity vulnerability in OpenEMR versions prior to 8.0.0 affecting the Layout-Based Form (LBF) printable view endpoint. The vulnerability occurs because the endpoint accepts formid, visitid, and optionally patientid parameters from user requests without verifying that these IDs belong to a patient or encounter the authenticated user is authorized to access.'}, {'type': 'paragraph', 'content': "This lack of access control allows an authenticated user with LBF access to enumerate or guess valid form and visit IDs of other patients and retrieve their encounter forms, exposing sensitive protected health information (PHI). Technically, the system does not perform authorization checks to ensure the requested form belongs to the current user's authorized patient or encounter, resulting in an Insecure Direct Object Reference (IDOR) vulnerability."}, {'type': 'paragraph', 'content': "An attacker can exploit this by logging in with LBF access, guessing valid formid and visitid values for other patients, and making a request to the printable endpoint to view or print those patients' forms."}] [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive protected health information (PHI) by allowing authenticated users with LBF access to view or print encounter forms of any patient, not just those they are authorized to access.

The impact includes a breach of patient confidentiality and privacy, potentially exposing sensitive medical data to unauthorized personnel.

Because the attack complexity is low and only low privileges are required, the risk of exploitation is significant in environments where multiple users have LBF access.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the Layout-Based Form (LBF) printable view endpoint with manipulated parameters to see if unauthorized patient forms are accessible.'}, {'type': 'paragraph', 'content': 'Specifically, an authenticated user with LBF access can try to enumerate or guess valid form IDs and visit IDs of other patients and make GET requests to the endpoint `interface/forms/LBF/printable.php` with these parameters.'}, {'type': 'paragraph', 'content': 'If the server returns form content or PDFs for patients the user should not have access to, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'A sample command to test this could be a curl request like:'}, {'type': 'list_item', 'content': 'curl -i -b cookies.txt "https://<openemr-server>/interface/forms/LBF/printable.php?formid=<guessed_formid>&visitid=<guessed_visitid>"'}, {'type': 'paragraph', 'content': 'Here, `cookies.txt` contains authentication cookies for a user with LBF access. By changing `formid` and `visitid` values to those of other patients, you can check if unauthorized data is returned.'}, {'type': 'paragraph', 'content': 'The expected secure behavior is a 403 Forbidden or 404 Not Found response when accessing forms not authorized to the user.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, upgrade OpenEMR to version 8.0.0 or later where the issue is fixed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, restrict access to the LBF printable view endpoint to only trusted users and monitor access logs for suspicious activity.'}, {'type': 'paragraph', 'content': 'Additionally, implement network-level controls such as firewall rules to limit access to authenticated users with proper authorization.'}, {'type': 'paragraph', 'content': "Review and apply the patch that enforces authorization checks by verifying that the requested form belongs to the authenticated user's patient and encounter session."}, {'type': 'list_item', 'content': 'Ensure that the patient ID and visit ID are derived from the authenticated session rather than user-supplied parameters.'}, {'type': 'list_item', 'content': 'Log and audit any unauthorized access attempts to detect exploitation attempts.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25930. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart