Description
This vulnerability exists in e-Sushrut due to improper access control in resource access validation. An authenticated attacker could exploit this vulnerability by manipulating parameter in the API request URL to gain unauthorized access to sensitive information of patients on the targeted system.
Published: 2026-04-29
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The e‑Sushrut HMIS contains an Insecure Direct Object Reference flaw that allows an authenticated user to manipulate the request URL and retrieve other patients’ sensitive information. Because the system fails to validate ownership or authorization of resources, attackers can disclose confidential medical data, violating privacy and potentially enabling further damage. The weakness maps to CWE‑639.

Affected Systems

The flaw affects CDAC‑Noida’s e‑Sushrut Hospital Management Information System. All previous releases of the HMIS are vulnerable; the exact range of affected minor versions is not disclosed but any installment prior to the latest version lacks the fix.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score is not publicly available, so the current exploitation probability is uncertain but the lack of a KEV listing suggests no known active exploitation. The exploit requires an authenticated session and the ability to modify URL parameters, which can be carried out remotely. Because attackers need valid credentials, the risk is significant for organizations that fail to enforce strict role‑based access control.

Generated by OpenCVE AI on April 29, 2026 at 09:20 UTC.

Remediation

Vendor Solution

Contact C-DAC for upgrading e-Sushrut HMIS to latest version

OpenCVE Recommended Actions

  • Contact C‑DAC to obtain and deploy the latest e‑Sushrut HMIS update.
  • Replace all vulnerable API endpoints with the fixed version.
  • Perform a security review of access permissions to ensure resource ownership checks are enforced.

Generated by OpenCVE AI on April 29, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Cdac-noida e-sushrut Hmis
Vendors & Products Cdac-noida e-sushrut Hmis

Wed, 29 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description This vulnerability exists in e-Sushrut due to improper access control in resource access validation. An authenticated attacker could exploit this vulnerability by manipulating parameter in the API request URL to gain unauthorized access to sensitive information of patients on the targeted system.
Title Insecure Direct Object Reference (IDOR) Vulnerability in e-Sushrut HMIS
First Time appeared Cdac-noida
Cdac-noida e-sushrut Hospital Management Information System Hmis
Weaknesses CWE-639
CPEs cpe:2.3:a:cdac-noida:e-sushrut_hospital_management_information_system_hmis_:previous_versions:*:*:*:*:*:*:*
Vendors & Products Cdac-noida
Cdac-noida e-sushrut Hospital Management Information System Hmis
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cdac-noida E-sushrut Hmis E-sushrut Hospital Management Information System Hmis
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-In

Published:

Updated: 2026-04-29T08:22:57.139Z

Reserved: 2026-04-28T08:14:36.620Z

Link: CVE-2026-42515

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-29T09:16:24.680

Modified: 2026-04-29T09:16:24.680

Link: CVE-2026-42515

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:10:13Z

Weaknesses