Cyber Resilience

CVE-2026-25147

HighPublic PoC

Published: 27 February 2026

Published
27 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0013 32.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25147 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-25147 is an Insecure Direct Object Reference (IDOR) vulnerability classified under CWE-639, affecting OpenEMR, a free and open-source electronic health records and medical practice management application. In versions prior to 8.0.0, the file `portal/portal_payment.php` improperly derives the patient ID (`$pid`) from user-supplied request parameters such as `$_REQUEST['pid']` or `$_REQUEST['hidden_patient_code']`, rather than enforcing the ID associated with the authenticated portal session. This flaw enables horizontal privilege escalation, allowing unauthorized access to sensitive patient data.

An authenticated portal user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high confidentiality impact (C:H) by viewing another patient's demographics, invoices, and payment history, alongside low integrity impact (I:L) through limited interactions. The CVSS v3.1 base score is 7.1 (S:U, A:N), highlighting its severity in multi-tenant healthcare environments where patient separation is critical.

The OpenEMR security advisory (GHSA-mwmw-qxv3-8whh) and corresponding fix in commit d6ab3cd0b621b19b942cf49d2db2026e288aa214 confirm that upgrading to version 8.0.0 resolves the issue by properly fixing the patient ID to the authenticated user's session value, preventing overwrites from request parameters. Security practitioners should prioritize patching affected installations and review access controls in patient portals.

EU & UK References

Vulnerability details

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in `portal/portal_payment.php`, the patient id used for the page is taken from the request (`$pid = $_REQUEST['pid'] ?? $pid` and `$pid…

more

= ($_REQUEST['hidden_patient_code'] ?? null) > 0 ? $_REQUEST['hidden_patient_code'] : $pid`) instead of being fixed to the authenticated portal user. The portal session already has a valid `$pid` for the logged-in patient. Overwriting it with user-supplied values and using it without authorization allows a portal user to view and interact with another patient's demographics, invoices, and payment history—horizontal privilege escalation and IDOR. Version 8.0.0 contains a fix for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

IDOR in public-facing OpenEMR portal directly enables horizontal privilege escalation (T1068) via network exploitation of the web app (T1190), bypassing session-bound patient ID checks to access unauthorized data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25927Same product: Open-Emr Openemr
CVE-2026-34055Same product: Open-Emr Openemr
CVE-2026-32126Same product: Open-Emr Openemr
CVE-2026-24908Same product: Open-Emr Openemr
CVE-2026-25131Same product: Open-Emr Openemr
CVE-2026-33302Same product: Open-Emr Openemr
CVE-2026-33914Same product: Open-Emr Openemr
CVE-2026-25164Same product: Open-Emr Openemr
CVE-2026-34053Same product: Open-Emr Openemr
CVE-2026-24890Same product: Open-Emr Openemr

Affected Assets

open-emr
openemr
≤ 8.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces that the authenticated portal session's $pid cannot be overwritten by request parameters, blocking unauthorized access to other patients' records.

prevent

Ensures a portal user is restricted to the minimum privileges associated with their own patient record, eliminating the ability to interact with other patients' data.

prevent

Enforces information-flow rules that prevent data belonging to one patient from flowing to another authenticated portal user.

References