CVE-2026-2991
Received Received - Intake
Authentication Bypass in KiviCare Plugin Exposes Patient Data

Publication date: 2026-03-18

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.1.2. This is due to the `patientSocialLogin()` function not verifying the social provider access token before authenticating a user. This makes it possible for unauthenticated attackers to log in as any patient registered on the system by providing only their email address and an arbitrary value for the access token, bypassing all credential verification. The attacker gains access to sensitive medical records, appointments, prescriptions, and billing information (PII/PHI breach). Additionally, authentication cookies are set before the role check, meaning the auth cookies for non-patient users (including administrators) are also set in the HTTP response headers, even though a 403 response is returned.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2991
EUVD
EUVD-2026-12838
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
kivicare kivicare_clinic_management_system to 4.1.2 (inc)
kivicare kivicare to 4.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the KiviCare Clinic & Patient Management System WordPress plugin (up to version 4.1.2) is an Authentication Bypass. It occurs because the function patientSocialLogin() does not verify the social provider access token before authenticating a user.

This flaw allows an unauthenticated attacker to log in as any patient registered on the system by simply providing the patient's email address and an arbitrary access token value, bypassing all credential checks.

Additionally, authentication cookies are set before user role checks, which means even non-patient users (including administrators) receive authentication cookies in HTTP response headers despite a 403 Forbidden response.

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to gain unauthorized access to sensitive patient information.

  • Attackers can access sensitive medical records, appointments, prescriptions, and billing information.
  • It leads to breaches of Personally Identifiable Information (PII) and Protected Health Information (PHI).
  • Unauthorized access to administrator accounts may also be possible due to authentication cookies being set before role verification.

Overall, this can result in data theft, privacy violations, and potential disruption of healthcare services.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to authenticate using the vulnerable KiviCare plugin's API login endpoint without valid credentials, specifically by providing a patient's email address and an arbitrary access token value."}, {'type': 'paragraph', 'content': "Since the vulnerability involves the `patientSocialLogin()` function not verifying the social provider access token, a test can be performed by sending crafted HTTP POST requests to the `/auth/login` REST API endpoint with a patient's email and an arbitrary token to see if authentication is granted."}, {'type': 'paragraph', 'content': 'Commands using curl to test this might look like the following example:'}, {'type': 'list_item', 'content': 'curl -X POST https://your-kivicare-site.com/wp-json/kivicare/v1/auth/login -d \'{"email":"[email protected]","access_token":"arbitraryvalue"}\' -H \'Content-Type: application/json\''}, {'type': 'paragraph', 'content': 'If the response indicates successful authentication without valid credentials, the vulnerability is present.'}] [1]

Mitigation Strategies

Immediate mitigation steps include updating the KiviCare plugin to a version later than 4.1.2 where this vulnerability is fixed.

If an update is not immediately possible, restrict access to the vulnerable API endpoints by implementing firewall rules or access controls to limit requests to trusted IP addresses.

Additionally, monitor authentication logs for suspicious login attempts using arbitrary access tokens and unusual email addresses.

Enabling Google reCAPTCHA verification on authentication endpoints, if supported and configured, can help mitigate automated exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2991. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart