CVE-2026-27943
Received Received - Intake
Insecure Direct Object Reference in OpenEMR Eye Exam Module

Publication date: 2026-02-26

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam (eye_mag) view loads data by `form_id` (or equivalent) without verifying that the form belongs to the current user’s patient/encounter context. An authenticated user can access or edit any patient’s eye exam by supplying another form ID; in some flows the session’s active patient may also be switched. A fix is available on the `main` branch of the OpenEMR GitHub repository.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27943
EUVD
EUVD-2026-8812
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27943 is an Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR's eye exam (eye_mag) view. In versions up to and including 8.0.0, the application loads eye exam data based on a user-supplied form ID without verifying that the form belongs to the current user's patient or encounter context."}, {'type': 'paragraph', 'content': "This means an authenticated user can access or edit any patient's eye exam by supplying another patient's form ID. In some cases, this can also switch the session's active patient context to that of the accessed form, potentially causing further unauthorized access or confusion."}, {'type': 'paragraph', 'content': "The root cause is that the system relies on session variables that can be stale or zero, and the URLs for forms do not include explicit patient or encounter identifiers, allowing unauthorized access to other patients' data."}] [2, 1]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an authenticated user with access to eye exam forms to view or edit any patient's eye exam data by supplying arbitrary form IDs."}, {'type': 'list_item', 'content': 'Unauthorized viewing of protected health information (PHI) related to eye exams.'}, {'type': 'list_item', 'content': 'Potential unauthorized editing of clinical data, compromising data integrity.'}, {'type': 'list_item', 'content': 'Session context switching to another patient, which may lead to further unauthorized actions or confusion.'}, {'type': 'paragraph', 'content': 'Overall, this leads to privacy breaches and compromises the confidentiality of sensitive medical information.'}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access eye exam forms (eye_mag) using arbitrary form IDs to check if unauthorized access is possible.'}, {'type': 'paragraph', 'content': 'A proof of concept involves logging in as an authenticated user with eye exam access and then accessing URLs with different form IDs to see if data from other patients is accessible.'}, {'type': 'list_item', 'content': 'Log in to OpenEMR as a user with eye exam access.'}, {'type': 'list_item', 'content': 'Use a command-line tool like curl or a browser to request: `/interface/forms/eye_mag/view.php?id=555` (replace 555 with a guessed or known form ID).'}, {'type': 'list_item', 'content': "Check if the response contains eye exam data for a patient other than the logged-in user's patient."}, {'type': 'list_item', 'content': "Observe if the session's active patient context switches unexpectedly."}, {'type': 'paragraph', 'content': 'Example curl command to test access (replace URL and form ID accordingly):'}, {'type': 'list_item', 'content': "curl -b cookies.txt -c cookies.txt 'https://your-openemr-instance/interface/forms/eye_mag/view.php?id=555'"}, {'type': 'paragraph', 'content': 'If the response shows data for a patient not authorized to the logged-in user, the vulnerability is present.'}] [2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable eye exam form view and monitoring user activity to prevent unauthorized access.

  • Limit access to the eye exam (eye_mag) view to only trusted and necessary users.
  • Implement network-level controls such as firewall rules or VPN access to restrict who can reach the OpenEMR instance.
  • Monitor logs for suspicious access patterns, such as users accessing form IDs that do not belong to their patients.

Apply the official fix from the OpenEMR repository as soon as possible, which includes:

  • Ensuring that URLs for forms include explicit patient ID (pid) and encounter parameters to avoid reliance on stale session data.
  • Updating the code to verify that the requested form belongs to the patient or encounter context of the authenticated user, returning an error if not.
  • Synchronizing session encounter data with the form being accessed to prevent IDOR issues.

Until the patch is applied, educate users about the risk and avoid sharing form IDs or URLs that could be exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27943. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart