CVE-2026-8031 - Vulnerability Details

- PicoTronica e-Clinic Healthcare System ECHS API Endpoint patient-records missing authentication

Description

A vulnerability was detected in PicoTronica e-Clinic Healthcare System ECHS 5.7. The affected element is an unknown function of the file /cdemos/echs/api/v2/patient-records of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 5.7.1 is sufficient to fix this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Published: 2026-05-06

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A missing authentication check in the e-Clinic Healthcare System API endpoint /cdemos/echs/api/v2/patient-records allows an attacker to request and retrieve patient records without credentials. This induces a full authentication bypass, enabling unauthorized access to sensitive health information and privacy violations. The weakness corresponds to CWE-287 (Authentication Failure) and CWE-306 (Missing Authentication). The attack can be performed over the network and is reported as publicly exploitable.

Affected Systems

PicoTronica’s e-Clinic Healthcare System (ECHS) version 5.7 is affected. The vendor has issued version 5.7.1 as a fix, which removes the unauthenticated access flaw. No other versions are listed as impacted.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate risk, with the potential for non‑repudiation and confidentiality loss. EPSS data is not available, so the exploit probability is unknown, but the vulnerability is publicly disclosed and may be used by attackers. The issue is not listed in CISA’s KEV catalog, yet the exploitation vector is remote and does not require local privileges. Organizations running ECHS 5.7 should treat this as a moderate‑to‑high risk condition until the patch is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

PicoTronica

e-Clinic Healthcare System ECHS

affected

Version	Status	Constraints
`5.7`	affected	—
`5.7.1`	unaffected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to PicoTronica ECHS version 5.7.1 to eliminate the unauthenticated API endpoint.
Verify that authentication mechanisms (e.g., API tokens or session checks) are active on the /cdemos/echs/api/v2/patient-records route after patching.
Apply network segmentation or firewall rules to restrict access to the ECHS API to authorized internal systems only.

Generated by OpenCVE AI on May 6, 2026 at 21:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00047.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://docs.google.com/document/d/1FByC9x21c5503cQg6lkxjffIwWlEAHtHi_83vk2eUdk/edit?usp=sharing
https://vuldb.com/submit/800781
https://vuldb.com/vuln/361357
https://vuldb.com/vuln/361357/cti

History

Wed, 06 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 06 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in PicoTronica e-Clinic Healthcare System ECHS 5.7. The affected element is an unknown function of the file /cdemos/echs/api/v2/patient-records of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 5.7.1 is sufficient to fix this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Title		PicoTronica e-Clinic Healthcare System ECHS API Endpoint patient-records missing authentication
Weaknesses		CWE-287 CWE-306
References		https://docs.google.com/document/d/1FByC9x21c5503cQg6lkxjffIwWlEAHtHi_83vk2eUdk/edit?usp=sharing https://vuldb.com/submit/800781 https://vuldb.com/vuln/361357 https://vuldb.com/vuln/361357/cti
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-06T18:00:18.864Z

Updated: 2026-05-06T18:37:26.894Z

Reserved: 2026-05-06T12:17:10.551Z

Link: CVE-2026-8031

Vulnrichment

Updated: 2026-05-06T18:37:12.054Z

NVD

Status : Deferred

Published: 2026-05-06T19:16:53.250

Modified: 2026-05-07T14:08:07.340

Link: CVE-2026-8031

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T21:15:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object