CVE-2026-25930
Published: 25 February 2026
Summary
CVE-2026-25930 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Open-Emr Openemr. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Information Repositories (T1213); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8717
Vulnerability details
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Layout-Based Form (LBF) printable view accepts `formid` and `visitid` (or `patientid`) from the request and does not verify that the…
more
form belongs to the current user’s authorized patient/encounter. An authenticated user with LBF access can enumerate form IDs and view or print any patient’s encounter forms. Version 8.0.0 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CWE-639 IDOR in LBF view allows authenticated access to arbitrary patient encounter forms (information repository) without authorization checks.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.