Description
OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam (eye_mag) view loads data by `form_id` (or equivalent) without verifying that the form belongs to the current user’s patient/encounter context. An authenticated user can access or edit any patient’s eye exam by supplying another form ID; in some flows the session’s active patient may also be switched. A fix is available on the `main` branch of the OpenEMR GitHub repository.
Published: 2026-02-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to patient eye exam data
Action: Patch Now
AI Analysis

Impact

The eye exam (eye_mag) view in OpenEMR loads data based on form_id without validating that the data belongs to the user’s current patient or encounter. An authenticated user who knows or guesses another patient’s form identifier can therefore view or edit that patient’s eye exam records. This flaw violates confidentiality and integrity of protected health information and is classified as CWE‑639.

Affected Systems

The affected product is OpenEMR, versions up to and including 8.0.0. Any deployment of these releases that permits login access is vulnerable.

Risk and Exploitability

The CVSS base score is 6.5, indicating a medium severity vulnerability. The EPSS score is below 1%, suggesting a low likelihood of exploitation at this time, and it is not listed in the CISA KEV catalog. A threat actor would need valid user credentials and knowledge of a target form_id to exploit the flaw; the attack vector is therefore authenticated access within the application. The vulnerability would allow unauthorized data exposure and potential manipulation of patient records.

Generated by OpenCVE AI on April 18, 2026 at 10:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest OpenEMR release that includes the form_id ownership fix or merge the patch from the main branch.
  • Disable or restrict the ability for users to provide arbitrary form_id values in the eye exam view, ensuring the system only accepts form IDs that belong to the current patient context.
  • Limit access to the eye exam view to users with appropriate roles (e.g., ophthalmologists, authorized clinicians) and enforce role-based access control.
  • Implement monitoring of eye exam form access logs to detect suspicious activity, such as repeated attempts to load unauthorized form IDs.

Generated by OpenCVE AI on April 18, 2026 at 10:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Thu, 26 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam (eye_mag) view loads data by `form_id` (or equivalent) without verifying that the form belongs to the current user’s patient/encounter context. An authenticated user can access or edit any patient’s eye exam by supplying another form ID; in some flows the session’s active patient may also be switched. A fix is available on the `main` branch of the OpenEMR GitHub repository.
Title OpenEMR's Eye Exam View Trusts form_id Without Verifying Patient/Encounter Ownership
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:28:13.472Z

Reserved: 2026-02-25T03:11:36.690Z

Link: CVE-2026-27943

cve-icon Vulnrichment

Updated: 2026-02-26T15:28:06.288Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T02:16:22.547

Modified: 2026-02-27T14:51:27.900

Link: CVE-2026-27943

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses