Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in `portal/portal_payment.php`, the patient id used for the page is taken from the request (`$pid = $_REQUEST['pid'] ?? $pid` and `$pid = ($_REQUEST['hidden_patient_code'] ?? null) > 0 ? $_REQUEST['hidden_patient_code'] : $pid`) instead of being fixed to the authenticated portal user. The portal session already has a valid `$pid` for the logged-in patient. Overwriting it with user-supplied values and using it without authorization allows a portal user to view and interact with another patient's demographics, invoices, and payment history—horizontal privilege escalation and IDOR. Version 8.0.0 contains a fix for the issue.
Published: 2026-02-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Horizontal Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

OpenEMR’s portal payment endpoint allows a logged‑in portal user to supply a patient identifier in the request that is not checked against the authenticated session. By overriding the backend patient id, the attacker can view the demographics, invoices, and payment history of any other patient. This privilege escalation bypasses the normal patient‑level access controls and compromises the confidentiality and integrity of protected health information, as described by CWE‑639.

Affected Systems

The vulnerability exists in OpenEMR versions prior to 8.0.0. The affected file is portal/portal_payment.php. All installations of OpenEMR that use the default portal login mechanism and have not applied the 8.0.0 update are at risk. No specific patch version list is given beyond the 8.0.0 fix.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑high severity vulnerability. The EPSS score of less than 1 % suggests that, while the technical exploit is possible, it is unlikely to be widely used or automated at this time. The vulnerability is not listed in the CISA KEV catalog. An attacker only needs a valid portal session and the ability to modify the request parameters; no additional privileges or network access are required. Because the flaw allows read‑only access to other patients’ data, the exploitation is straightforward and could be performed interactively by a legitimate user after logging in.

Generated by OpenCVE AI on April 16, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0 or later, where the pid handling has been corrected.
  • Run a security audit of portal access logs to identify any abnormal patient‑id usage.
  • If a patch cannot be applied immediately, restrict portal requests to enforce that the patient identifier matches the authenticated user’s session, rejecting any override parameters.

Generated by OpenCVE AI on April 16, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in `portal/portal_payment.php`, the patient id used for the page is taken from the request (`$pid = $_REQUEST['pid'] ?? $pid` and `$pid = ($_REQUEST['hidden_patient_code'] ?? null) > 0 ? $_REQUEST['hidden_patient_code'] : $pid`) instead of being fixed to the authenticated portal user. The portal session already has a valid `$pid` for the logged-in patient. Overwriting it with user-supplied values and using it without authorization allows a portal user to view and interact with another patient's demographics, invoices, and payment history—horizontal privilege escalation and IDOR. Version 8.0.0 contains a fix for the issue.
Title OpenEMR's Portal Payment Endpoint Trusts User-Controlled pid
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T18:27:59.160Z

Reserved: 2026-01-29T15:39:11.821Z

Link: CVE-2026-25147

cve-icon Vulnrichment

Updated: 2026-02-27T18:27:55.498Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T17:16:30.933

Modified: 2026-03-03T19:10:32.100

Link: CVE-2026-25147

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:30:06Z

Weaknesses