CVE-2026-42516
Improper Authorization in e-Sushrut Enables Patient Account Access
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: Indian Computer Emergency Response Team (CERT-In)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the e-Sushrut system due to improper authorization checks when accessing resources. An attacker who is already authenticated can exploit this flaw by manipulating encoded parameters in the request URL, which allows them to gain unauthorized access to patient accounts within the system.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to sensitive patient accounts, potentially exposing confidential medical information. This unauthorized access could result in privacy breaches, data theft, or misuse of patient data, which can harm patients and damage the trustworthiness of the healthcare system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to gain unauthorized access to patient accounts by exploiting improper authorization checks. Such unauthorized access to sensitive patient information can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls on access to personal and health-related data.
Specifically, unauthorized access to patient accounts compromises confidentiality and privacy requirements, potentially resulting in non-compliance with these standards and exposing the organization to legal and regulatory penalties.
Can you explain this vulnerability to me?
This vulnerability exists in the e-Sushrut system due to improper authorization checks when accessing resources. An attacker who is already authenticated can exploit this flaw by manipulating encoded parameters in the request URL, which allows them to gain unauthorized access to patient accounts within the system.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to sensitive patient accounts. This means an attacker could view or potentially manipulate private patient information without proper permission, compromising patient privacy and the security of the healthcare system.