CVE-2026-33931
IDOR Vulnerability in OpenEMR Patient Portal Exposes PHI
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to other patients' payment records, including Protected Health Information (PHI) such as invoice/billing data and payment card metadata. Such unauthorized disclosure of sensitive health and payment information can lead to non-compliance with regulations like HIPAA, which mandates the protection of patient health information, and GDPR, which requires safeguarding personal data and ensuring data privacy.
Specifically, the exposure of PHI and partial PCI card data (including cardholder name, masked card number, expiration date, CVV, and zip code) through an authorization bypass increases the risk of data breaches and privacy violations. Healthcare organizations using the affected patient portal payment feature may face regulatory penalties and reputational damage if this vulnerability is exploited.
Can you explain this vulnerability to me?
CVE-2026-33931 is an Insecure Direct Object Reference (IDOR) vulnerability in the OpenEMR patient portal payment page (portal/portal_payment.php) affecting versions prior to 8.0.0.3.
The vulnerability allows any authenticated patient portal user to access other patients' payment records by manipulating the `recid` query parameter, which corresponds to the primary key of records in the onsite_portal_activity database table.
The issue arises because the payment page accepts the `recid` parameter without proper authorization checks, executing a SQL query that retrieves records by ID without verifying that the record belongs to the authenticated patient.
As a result, an attacker can enumerate valid record IDs and access sensitive payment information of other patients, including cardholder name, card type, zip code, masked card number, expiration date, and CVV for certain payment records.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive patient payment information and Protected Health Information (PHI).
- Any authenticated patient portal user can access other patients' invoice and billing data by manipulating the `recid` parameter.
- Sensitive data exposed includes patient names, amounts, services, diagnoses, and payment card metadata such as cardholder name, last 4 digits of the card, expiration date, CVV, and zip code.
This exposure can lead to privacy violations, potential identity theft, financial fraud, and loss of trust in the healthcare provider's security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the patient portal payment page with manipulated `recid` query parameters to see if payment records of other patients are accessible without proper authorization.
A practical detection method is to log in as one patient and try to enumerate `recid` values in the URL `/portal/portal_payment.php?recid=<id>` to check if records belonging to other patients are exposed.
Since the `recid` corresponds to the primary key in the `onsite_portal_activity` database table and is an auto-increment integer, you can try sequential IDs to test unauthorized access.
No specific network commands are provided, but monitoring HTTP requests to `portal/portal_payment.php` with varying `recid` parameters and analyzing responses for unauthorized data exposure can help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenEMR to version 8.0.0.3 or later, where the vulnerability is patched.
The patch enforces patient ID filtering on records accessed via the `recid` parameter, ensuring that audit records are only accessible if they belong to the authenticated patient.
If upgrading immediately is not possible, restrict access to the patient portal payment page or implement additional access controls to prevent unauthorized manipulation of the `recid` parameter.