CVE-2026-25147
Published: 27 February 2026
Summary
CVE-2026-25147 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in public-facing OpenEMR portal directly enables horizontal privilege escalation (T1068) via network exploitation of the web app (T1190), bypassing session-bound patient ID checks to access unauthorized data.
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in `portal/portal_payment.php`, the patient id used for the page is taken from the request (`$pid = $_REQUEST['pid'] ?? $pid` and `$pid…
more
= ($_REQUEST['hidden_patient_code'] ?? null) > 0 ? $_REQUEST['hidden_patient_code'] : $pid`) instead of being fixed to the authenticated portal user. The portal session already has a valid `$pid` for the logged-in patient. Overwriting it with user-supplied values and using it without authorization allows a portal user to view and interact with another patient's demographics, invoices, and payment history—horizontal privilege escalation and IDOR. Version 8.0.0 contains a fix for the issue.
Deeper analysisAI
CVE-2026-25147 is an Insecure Direct Object Reference (IDOR) vulnerability classified under CWE-639, affecting OpenEMR, a free and open-source electronic health records and medical practice management application. In versions prior to 8.0.0, the file `portal/portal_payment.php` improperly derives the patient ID (`$pid`) from user-supplied request parameters such as `$_REQUEST['pid']` or `$_REQUEST['hidden_patient_code']`, rather than enforcing the ID associated with the authenticated portal session. This flaw enables horizontal privilege escalation, allowing unauthorized access to sensitive patient data.
An authenticated portal user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high confidentiality impact (C:H) by viewing another patient's demographics, invoices, and payment history, alongside low integrity impact (I:L) through limited interactions. The CVSS v3.1 base score is 7.1 (S:U, A:N), highlighting its severity in multi-tenant healthcare environments where patient separation is critical.
The OpenEMR security advisory (GHSA-mwmw-qxv3-8whh) and corresponding fix in commit d6ab3cd0b621b19b942cf49d2db2026e288aa214 confirm that upgrading to version 8.0.0 resolves the issue by properly fixing the patient ID to the authenticated user's session value, preventing overwrites from request parameters. Security practitioners should prioritize patching affected installations and review access controls in patient portals.
Details
- CWE(s)