CVE-2026-34055
IDOR Vulnerability in OpenEMR Patient Notes Allows Unauthorized Access
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access, modification, and deletion of patient notes by authenticated users who should not have access to those notes. This results in a high confidentiality and integrity impact on sensitive patient data.
Such unauthorized access and modification of protected health information (PHI) can lead to non-compliance with regulations like HIPAA, which mandates strict controls on access to patient data to ensure confidentiality and integrity.
Similarly, under GDPR, improper access and processing of personal health data without proper authorization violates data protection principles, potentially leading to breaches of data privacy and security requirements.
Therefore, this vulnerability poses a significant risk to compliance with common healthcare and data protection standards by enabling unauthorized disclosure and alteration of sensitive patient information.
Can you explain this vulnerability to me?
CVE-2026-34055 is an Insecure Direct Object Reference (IDOR) vulnerability in the OpenEMR electronic health records system, specifically in the legacy patient notes functionality within the web UI code paths.
The vulnerability exists because several functions in the file `library/pnotes.inc.php` perform update and delete operations on patient notes using SQL queries with `WHERE id = ?` clauses without verifying that the note belongs to a patient the authenticated user is authorized to access.
This lack of proper authorization checks allows an attacker with valid credentials and patient/notes access permissions to read, modify, delete, or mark as inactive notes belonging to other patients.
Multiple web UI components pass user-controlled note IDs directly to these vulnerable functions without adequate validation, enabling unauthorized access and modification.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access and modification of patient notes by authenticated users who should not have access to those notes.
- Read notes of other patients via the edit flow.
- Modify notes of other patients.
- Delete notes of other patients.
- Mark notes as done or inactive for other patients.
The vulnerability requires only low privileges (an authenticated user with notes access) and has a high impact on confidentiality and integrity of patient data, potentially leading to data breaches and loss of data trustworthiness.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access and modification of patient notes through the web UI by exploiting insufficient authorization checks on note IDs. Detection involves monitoring for unusual or unauthorized access patterns to patient notes, especially update or delete operations performed by users on notes that do not belong to them.
Since the vulnerability requires authenticated access with patient notes permissions, detection can include auditing logs for note modification or deletion events where the acting user is not the owner or authorized patient.
Specific commands are not provided in the available resources. However, general approaches include:
- Reviewing application audit logs for patient note updates or deletions by users on notes outside their authorized patients.
- Using web server or application logs to identify HTTP requests to endpoints such as `pnotes_full.php`, `pnotes_full_add.php`, `pnotes_fragment.php`, and `messages.php` with suspicious or unexpected note ID parameters.
- Employing network monitoring tools to detect abnormal API or UI calls that manipulate patient notes with IDs not matching the authenticated user's patients.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade OpenEMR to version 8.0.0.3 or later, where the vulnerability is patched by enforcing patient ownership checks on all patient note operations.
If immediate upgrade is not possible, consider the following steps:
- Restrict access to patient notes functionality to only fully trusted users with strict ACLs.
- Monitor and audit all patient note update, delete, and status change operations for unauthorized activity.
- Implement additional access control checks at the application or network level to prevent users from manipulating note IDs that do not belong to their authorized patients.
- Review and harden session management and authentication mechanisms to reduce risk of credential misuse.