CVE-2026-27943
Insecure Direct Object Reference in OpenEMR Eye Exam Module
Publication date: 2026-02-26
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27943 is an Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR's eye exam (eye_mag) view. In versions up to and including 8.0.0, the application loads eye exam data based on a user-supplied form ID without verifying that the form belongs to the current user's patient or encounter context."}, {'type': 'paragraph', 'content': "This means an authenticated user can access or edit any patient's eye exam by supplying another patient's form ID. In some cases, this can also switch the session's active patient context to that of the accessed form, potentially causing further unauthorized access or confusion."}, {'type': 'paragraph', 'content': "The root cause is that the system relies on session variables that can be stale or zero, and the URLs for forms do not include explicit patient or encounter identifiers, allowing unauthorized access to other patients' data."}] [2, 1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows an authenticated user with access to eye exam forms to view or edit any patient's eye exam data by supplying arbitrary form IDs."}, {'type': 'list_item', 'content': 'Unauthorized viewing of protected health information (PHI) related to eye exams.'}, {'type': 'list_item', 'content': 'Potential unauthorized editing of clinical data, compromising data integrity.'}, {'type': 'list_item', 'content': 'Session context switching to another patient, which may lead to further unauthorized actions or confusion.'}, {'type': 'paragraph', 'content': 'Overall, this leads to privacy breaches and compromises the confidentiality of sensitive medical information.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access eye exam forms (eye_mag) using arbitrary form IDs to check if unauthorized access is possible.'}, {'type': 'paragraph', 'content': 'A proof of concept involves logging in as an authenticated user with eye exam access and then accessing URLs with different form IDs to see if data from other patients is accessible.'}, {'type': 'list_item', 'content': 'Log in to OpenEMR as a user with eye exam access.'}, {'type': 'list_item', 'content': 'Use a command-line tool like curl or a browser to request: `/interface/forms/eye_mag/view.php?id=555` (replace 555 with a guessed or known form ID).'}, {'type': 'list_item', 'content': "Check if the response contains eye exam data for a patient other than the logged-in user's patient."}, {'type': 'list_item', 'content': "Observe if the session's active patient context switches unexpectedly."}, {'type': 'paragraph', 'content': 'Example curl command to test access (replace URL and form ID accordingly):'}, {'type': 'list_item', 'content': "curl -b cookies.txt -c cookies.txt 'https://your-openemr-instance/interface/forms/eye_mag/view.php?id=555'"}, {'type': 'paragraph', 'content': 'If the response shows data for a patient not authorized to the logged-in user, the vulnerability is present.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable eye exam form view and monitoring user activity to prevent unauthorized access.
- Limit access to the eye exam (eye_mag) view to only trusted and necessary users.
- Implement network-level controls such as firewall rules or VPN access to restrict who can reach the OpenEMR instance.
- Monitor logs for suspicious access patterns, such as users accessing form IDs that do not belong to their patients.
Apply the official fix from the OpenEMR repository as soon as possible, which includes:
- Ensuring that URLs for forms include explicit patient ID (pid) and encounter parameters to avoid reliance on stale session data.
- Updating the code to verify that the requested form belongs to the patient or encounter context of the authenticated user, returning an error if not.
- Synchronizing session encounter data with the form being accessed to prevent IDOR issues.
Until the patch is applied, educate users about the risk and avoid sharing form IDs or URLs that could be exploited.