CVE-2026-12207
Received Received - Intake
Improper Resource ID Control in medkey

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulDB

Description
A security flaw has been discovered in medkey-org medkey up to fc09b7ba9441ff590b72d428d5380834216b09ed. Impacted is the function actionGetPatientById of the file app\modules\medical\port\rest\controllers\PatientController.php of the component HTTP REST API. The manipulation of the argument ID results in improper control of resource identifiers. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-12207
EUVD
EUVD-2026-36681
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
medkey-org medkey to fc09b7ba9441ff590b72d428d5380834216b09ed (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-99 The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12207 is an Insecure Direct Object Reference (IDOR) vulnerability in the Medkey Hospital Information System and Electronic Health Records software. It exists in the PatientController component, specifically in the actionGetPatientById($id) method, which retrieves patient records based on a user-supplied ID parameter without proper access control.

Because the application does not verify whether the authenticated user is authorized to access the requested patient's data, any authenticated user can manipulate the ID parameter in HTTP GET requests to access sensitive protected health information (PHI) of other patients.

This includes access to medical history, names, and insurance details. The underlying ActiveController class also lacks global row-level or object-level access validation, which worsens the problem.

Impact Analysis

This vulnerability allows unauthorized users to access sensitive protected health information (PHI) of other patients by manipulating the ID parameter in requests.

The impact includes potential unauthorized exfiltration of medical records, personal details, and insurance information, which can lead to privacy breaches, identity theft, and loss of trust in the healthcare provider.

Detection Guidance

This vulnerability can be detected by testing the HTTP REST API endpoint that handles patient data retrieval, specifically the actionGetPatientById method. By manipulating the ID parameter in HTTP GET requests, you can check if unauthorized access to other patients' data is possible.

A practical approach is to use tools like curl or custom scripts to send requests with different ID values and observe if the system returns data for patients other than the authenticated user.

  • Example curl command to test access control on patient data: curl -i -H "Authorization: Bearer <token>" "http://<target>/app/modules/medical/port/rest/controllers/PatientController.php?action=actionGetPatientById&id=2"
  • Use the provided proof-of-concept script medkey_poc.py from the GitHub repository to automate testing for this IDOR vulnerability.
Mitigation Strategies

Immediate mitigation steps include implementing proper access control checks on the server side to ensure that users can only access patient records they are authorized to view.

Specifically, the application should verify that the authenticated user's session token corresponds to a medical professional authorized to access the requested patient's data before returning any information.

Until a patch or update is available, restrict access to the vulnerable API endpoint to trusted users only and monitor logs for suspicious access patterns involving manipulation of the ID parameter.

Compliance Impact

This vulnerability allows unauthorized access to sensitive protected health information (PHI) of patients by manipulating the ID parameter without proper access control checks.

Such unauthorized access and potential exfiltration of PHI can lead to violations of data protection regulations and standards like HIPAA and GDPR, which mandate strict controls over access to personal and health-related data.

Failure to properly restrict access to patient records undermines confidentiality and privacy requirements, increasing the risk of non-compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12207. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart