Description
A security flaw has been discovered in medkey-org medkey up to fc09b7ba9441ff590b72d428d5380834216b09ed. Impacted is the function actionGetPatientById of the file app\modules\medical\port\rest\controllers\PatientController.php of the component HTTP REST API. The manipulation of the argument ID results in improper control of resource identifiers. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-15
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is located in Medkey’s actionGetPatientById endpoint, where the ID parameter is accepted without proper validation or authorization checks, enabling a remote attacker to retrieve patient data belonging to other users. This incorrect handling of resource identifiers is a classic IDOR flaw and maps to CWE-99, allowing unauthorized read or modification of sensitive medical records.

Affected Systems

All deployed versions of Medkey prior to commit fc09b7ba9441ff590b72d428d5380834216b09ed are affected. The vendor employs a rolling release model, so any instance still using a pre‑fix revision is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 5.3, the flaw has moderate severity. An attacker can trigger it via a standard HTTP/HTTPS call to the REST API without needing local network access, and a public proof‑of‑concept confirms remote exploitation is possible. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 15, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a revision later than fc09b7ba9441ff590b72d428d5380834216b09ed or apply the vendor’s official patch if available
  • Restrict the GetPatientById endpoint to authenticated users only and enforce role‑based access control so that the requested ID belongs to the caller
  • Validate the ID parameter against the authenticated user's record set to prevent IDOR exploitation

Generated by OpenCVE AI on June 15, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in medkey-org medkey up to fc09b7ba9441ff590b72d428d5380834216b09ed. Impacted is the function actionGetPatientById of the file app\modules\medical\port\rest\controllers\PatientController.php of the component HTTP REST API. The manipulation of the argument ID results in improper control of resource identifiers. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.
Title medkey-org medkey HTTP REST API PatientController.php actionGetPatientById resource injection
First Time appeared Medkey-org
Medkey-org medkey
Weaknesses CWE-99
CPEs cpe:2.3:a:medkey-org:medkey:*:*:*:*:*:*:*:*
Vendors & Products Medkey-org
Medkey-org medkey
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Medkey-org Medkey
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-15T01:45:08.090Z

Reserved: 2026-06-14T12:22:02.042Z

Link: CVE-2026-12207

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T02:16:12.653

Modified: 2026-06-15T02:16:12.653

Link: CVE-2026-12207

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T03:30:07Z

Weaknesses
  • CWE-99

    Improper Control of Resource Identifiers ('Resource Injection')