Description
This vulnerability exists in e-Sushrut due to improper authorization checks during resource access. An authenticated attacker could exploit this vulnerability by manipulating encoded parameters in the request URL to gain unauthorized access to patient accounts on the targeted system.
Published: 2026-04-29
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated attacker can manipulate encoded parameters in a request URL to bypass access controls and gain unauthorized viewing or modification rights to patient accounts within e‑Sushrut HMIS. This broken access control flaw—identified as CWE‑639—allows attackers to compromise the confidentiality and integrity of protected health information held in the system.

Affected Systems

The affected product is CDAC‑Noida’s e‑Sushrut Hospital Management Information System (HMIS). All pre‑latest releases, as noted by the CPE string, are vulnerable; the specific version range is not stated but applies to the versions prior to the latest update.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate‑to‑high risk level. The EPSS score is not available, so the current probability of exploitation is unknown, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated session and the ability to craft URL parameters, making it exploitable from within the user’s own account context. The threat is significant enough to warrant remediation, particularly because it impacts protected health information.

Generated by OpenCVE AI on April 29, 2026 at 09:51 UTC.

Remediation

Vendor Solution

Contact C-DAC for upgrading e-Sushrut HMIS to latest version

OpenCVE Recommended Actions

  • Contact C‑DAC to upgrade e‑Sushrut HMIS to the latest patched version
  • Verify that patient‑account endpoints enforce proper role‑based authorization and reject unauthorized requests
  • Monitor web server logs for anomalous URL‑parameter manipulation attempts and investigate any suspicious activity

Generated by OpenCVE AI on April 29, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description This vulnerability exists in e-Sushrut due to improper authorization checks during resource access. An authenticated attacker could exploit this vulnerability by manipulating encoded parameters in the request URL to gain unauthorized access to patient accounts on the targeted system.
Title Broken Access Control Vulnerability in e-Sushrut HMIS
First Time appeared Cdac-noida
Cdac-noida e-sushrut Hospital Management Information System Hmis
Weaknesses CWE-639
CPEs cpe:2.3:a:cdac-noida:e-sushrut_hospital_management_information_system_hmis_:previous_versions:*:*:*:*:*:*:*
Vendors & Products Cdac-noida
Cdac-noida e-sushrut Hospital Management Information System Hmis
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cdac-noida E-sushrut Hospital Management Information System Hmis
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-In

Published:

Updated: 2026-04-29T08:26:15.611Z

Reserved: 2026-04-28T08:14:36.620Z

Link: CVE-2026-42516

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-29T09:16:24.803

Modified: 2026-04-29T09:16:24.803

Link: CVE-2026-42516

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:30:08Z

Weaknesses