Compliance Impact

This vulnerability allows unauthorized access to other patients' payment records, including Protected Health Information (PHI) such as invoice/billing data and payment card metadata. Such unauthorized disclosure of sensitive health and payment information can lead to non-compliance with regulations like HIPAA, which mandates the protection of patient health information, and GDPR, which requires safeguarding personal data and ensuring data privacy.

Specifically, the exposure of PHI and partial PCI card data (including cardholder name, masked card number, expiration date, CVV, and zip code) through an authorization bypass increases the risk of data breaches and privacy violations. Healthcare organizations using the affected patient portal payment feature may face regulatory penalties and reputational damage if this vulnerability is exploited.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-33931 is an Insecure Direct Object Reference (IDOR) vulnerability in the OpenEMR patient portal payment page (portal/portal_payment.php) affecting versions prior to 8.0.0.3.

The vulnerability allows any authenticated patient portal user to access other patients' payment records by manipulating the `recid` query parameter, which corresponds to the primary key of records in the onsite_portal_activity database table.

The issue arises because the payment page accepts the `recid` parameter without proper authorization checks, executing a SQL query that retrieves records by ID without verifying that the record belongs to the authenticated patient.

As a result, an attacker can enumerate valid record IDs and access sensitive payment information of other patients, including cardholder name, card type, zip code, masked card number, expiration date, and CVV for certain payment records.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive patient payment information and Protected Health Information (PHI).

• Any authenticated patient portal user can access other patients' invoice and billing data by manipulating the `recid` parameter.
• Sensitive data exposed includes patient names, amounts, services, diagnoses, and payment card metadata such as cardholder name, last 4 digits of the card, expiration date, CVV, and zip code.

This exposure can lead to privacy violations, potential identity theft, financial fraud, and loss of trust in the healthcare provider's security.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the patient portal payment page with manipulated `recid` query parameters to see if payment records of other patients are accessible without proper authorization.

A practical detection method is to log in as one patient and try to enumerate `recid` values in the URL `/portal/portal_payment.php?recid=<id>` to check if records belonging to other patients are exposed.

Since the `recid` corresponds to the primary key in the `onsite_portal_activity` database table and is an auto-increment integer, you can try sequential IDs to test unauthorized access.

No specific network commands are provided, but monitoring HTTP requests to `portal/portal_payment.php` with varying `recid` parameters and analyzing responses for unauthorized data exposure can help detect exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade OpenEMR to version 8.0.0.3 or later, where the vulnerability is patched.

The patch enforces patient ID filtering on records accessed via the `recid` parameter, ensuring that audit records are only accessible if they belong to the authenticated patient.

If upgrading immediately is not possible, restrict access to the patient portal payment page or implement additional access controls to prevent unauthorized manipulation of the `recid` parameter.

Useful 0 Not Useful 0