CVE-2026-25147
Published: 27 February 2026
Summary
CVE-2026-25147 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-25147 is an Insecure Direct Object Reference (IDOR) vulnerability classified under CWE-639, affecting OpenEMR, a free and open-source electronic health records and medical practice management application. In versions prior to 8.0.0, the file `portal/portal_payment.php` improperly derives the patient ID (`$pid`) from user-supplied request parameters such as `$_REQUEST['pid']` or `$_REQUEST['hidden_patient_code']`, rather than enforcing the ID associated with the authenticated portal session. This flaw enables horizontal privilege escalation, allowing unauthorized access to sensitive patient data.
An authenticated portal user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high confidentiality impact (C:H) by viewing another patient's demographics, invoices, and payment history, alongside low integrity impact (I:L) through limited interactions. The CVSS v3.1 base score is 7.1 (S:U, A:N), highlighting its severity in multi-tenant healthcare environments where patient separation is critical.
The OpenEMR security advisory (GHSA-mwmw-qxv3-8whh) and corresponding fix in commit d6ab3cd0b621b19b942cf49d2db2026e288aa214 confirm that upgrading to version 8.0.0 resolves the issue by properly fixing the patient ID to the authenticated user's session value, preventing overwrites from request parameters. Security practitioners should prioritize patching affected installations and review access controls in patient portals.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9036
Vulnerability details
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in `portal/portal_payment.php`, the patient id used for the page is taken from the request (`$pid = $_REQUEST['pid'] ?? $pid` and `$pid…
more
= ($_REQUEST['hidden_patient_code'] ?? null) > 0 ? $_REQUEST['hidden_patient_code'] : $pid`) instead of being fixed to the authenticated portal user. The portal session already has a valid `$pid` for the logged-in patient. Overwriting it with user-supplied values and using it without authorization allows a portal user to view and interact with another patient's demographics, invoices, and payment history—horizontal privilege escalation and IDOR. Version 8.0.0 contains a fix for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in public-facing OpenEMR portal directly enables horizontal privilege escalation (T1068) via network exploitation of the web app (T1190), bypassing session-bound patient ID checks to access unauthorized data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces that the authenticated portal session's $pid cannot be overwritten by request parameters, blocking unauthorized access to other patients' records.
Ensures a portal user is restricted to the minimum privileges associated with their own patient record, eliminating the ability to interact with other patients' data.
Enforces information-flow rules that prevent data belonging to one patient from flowing to another authenticated portal user.