{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25147", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T15:39:11.821Z", "datePublished": "2026-02-27T16:44:40.734Z", "dateUpdated": "2026-02-27T18:27:59.160Z"}, "containers": {"cna": {"title": "OpenEMR's Portal Payment Endpoint Trusts User-Controlled pid", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-mwmw-qxv3-8whh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-mwmw-qxv3-8whh"}, {"name": "https://github.com/openemr/openemr/commit/d6ab3cd0b621b19b942cf49d2db2026e288aa214", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/d6ab3cd0b621b19b942cf49d2db2026e288aa214"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T16:44:40.734Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in `portal/portal_payment.php`, the patient id used for the page is taken from the request (`$pid = $_REQUEST['pid'] ?? $pid` and `$pid = ($_REQUEST['hidden_patient_code'] ?? null) > 0 ? $_REQUEST['hidden_patient_code'] : $pid`) instead of being fixed to the authenticated portal user. The portal session already has a valid `$pid` for the logged-in patient. Overwriting it with user-supplied values and using it without authorization allows a portal user to view and interact with another patient's demographics, invoices, and payment history\u2014horizontal privilege escalation and IDOR. Version 8.0.0 contains a fix for the issue."}], "source": {"advisory": "GHSA-mwmw-qxv3-8whh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T18:27:48.774045Z", "id": "CVE-2026-25147", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T18:27:59.160Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25147", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T18:27:48.774045Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T18:27:55.498Z"}}], "cna": {"title": "OpenEMR's Portal Payment Endpoint Trusts User-Controlled pid", "source": {"advisory": "GHSA-mwmw-qxv3-8whh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"status": "affected", "version": "< 8.0.0"}]}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-mwmw-qxv3-8whh", "name": "https://github.com/openemr/openemr/security/advisories/GHSA-mwmw-qxv3-8whh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openemr/openemr/commit/d6ab3cd0b621b19b942cf49d2db2026e288aa214", "name": "https://github.com/openemr/openemr/commit/d6ab3cd0b621b19b942cf49d2db2026e288aa214", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in `portal/portal_payment.php`, the patient id used for the page is taken from the request (`$pid = $_REQUEST['pid'] ?? $pid` and `$pid = ($_REQUEST['hidden_patient_code'] ?? null) > 0 ? $_REQUEST['hidden_patient_code'] : $pid`) instead of being fixed to the authenticated portal user. The portal session already has a valid `$pid` for the logged-in patient. Overwriting it with user-supplied values and using it without authorization allows a portal user to view and interact with another patient's demographics, invoices, and payment history\u2014horizontal privilege escalation and IDOR. Version 8.0.0 contains a fix for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T16:44:40.734Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25147", "state": "PUBLISHED", "dateUpdated": "2026-02-27T18:27:59.160Z", "dateReserved": "2026-01-29T15:39:11.821Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-27T16:44:40.734Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "FEAA9896-A42E-437C-BEE8-8DA955E34385", "versionEndExcluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in `portal/portal_payment.php`, the patient id used for the page is taken from the request (`$pid = $_REQUEST['pid'] ?? $pid` and `$pid = ($_REQUEST['hidden_patient_code'] ?? null) > 0 ? $_REQUEST['hidden_patient_code'] : $pid`) instead of being fixed to the authenticated portal user. The portal session already has a valid `$pid` for the logged-in patient. Overwriting it with user-supplied values and using it without authorization allows a portal user to view and interact with another patient's demographics, invoices, and payment history\u2014horizontal privilege escalation and IDOR. Version 8.0.0 contains a fix for the issue."}], "id": "CVE-2026-25147", "lastModified": "2026-03-03T19:10:32.100", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-27T17:16:30.933", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/d6ab3cd0b621b19b942cf49d2db2026e288aa214"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-mwmw-qxv3-8whh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-04-16T15:26:07.809374+00:00", "value": {"mitigation_remediation": ["Upgrade OpenEMR to version 8.0.0 or later, where the pid handling has been corrected.", "Run a security audit of portal access logs to identify any abnormal patient\u2011id usage.", "If a patch cannot be applied immediately, restrict portal requests to enforce that the patient identifier matches the authenticated user\u2019s session, rejecting any override parameters."], "summary": {"action": "Apply Patch", "impact": "Horizontal Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in OpenEMR versions prior to 8.0.0. The affected file is portal/portal_payment.php. All installations of OpenEMR that use the default portal login mechanism and have not applied the 8.0.0 update are at risk. No specific patch version list is given beyond the 8.0.0 fix.", "description_and_impact": "OpenEMR\u2019s portal payment endpoint allows a logged\u2011in portal user to supply a patient identifier in the request that is not checked against the authenticated session. By overriding the backend patient id, the attacker can view the demographics, invoices, and payment history of any other patient. This privilege escalation bypasses the normal patient\u2011level access controls and compromises the confidentiality and integrity of protected health information, as described by CWE\u2011639.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a medium\u2011high severity vulnerability. The EPSS score of less than 1\u202f% suggests that, while the technical exploit is possible, it is unlikely to be widely used or automated at this time. The vulnerability is not listed in the CISA KEV catalog. An attacker only needs a valid portal session and the ability to modify the request parameters; no additional privileges or network access are required. Because the flaw allows read\u2011only access to other patients\u2019 data, the exploitation is straightforward and could be performed interactively by a legitimate user after logging in."}}}}, "created": "2026-03-02T12:07:05.954527+00:00", "updated": "2026-04-16T15:30:06.225854+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}