CVE-2026-25147 Overview
OpenEMR is a free and open source electronic health records (EHR) and medical practice management application widely deployed in healthcare environments. A critical Insecure Direct Object Reference (IDOR) vulnerability was discovered in the patient portal payment functionality that enables horizontal privilege escalation. Prior to version 8.0.0, the portal/portal_payment.php endpoint fails to properly validate patient identity, allowing authenticated portal users to access and manipulate other patients' sensitive medical and financial data.
Critical Impact
Authenticated portal users can exploit this IDOR vulnerability to access other patients' demographics, invoices, and payment history—constituting a serious HIPAA compliance violation and patient privacy breach in healthcare environments.
Affected Products
- OpenEMR versions prior to 8.0.0
- portal/portal_payment.php endpoint in vulnerable installations
- Healthcare organizations using OpenEMR patient portal functionality
Discovery Timeline
- 2026-02-27 - CVE-2026-25147 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2026-25147
Vulnerability Analysis
This vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), commonly known as an Insecure Direct Object Reference (IDOR). The flaw exists in the patient portal payment processing functionality where user-supplied input directly controls which patient records are accessed without proper authorization checks.
The vulnerable code path accepts patient identifiers from request parameters rather than using the authenticated session's patient ID. When a user accesses the payment portal, the application retrieves the patient ID from $_REQUEST['pid'] or $_REQUEST['hidden_patient_code'] parameters instead of enforcing the use of the session-bound $pid value for the authenticated user.
This design flaw enables an attacker with valid portal credentials to substitute their own patient ID with that of another patient, gaining unauthorized access to sensitive protected health information (PHI) including demographics, billing invoices, and complete payment history.
Root Cause
The root cause stems from improper authorization logic in portal/portal_payment.php. The application overwrites the authenticated session's patient identifier ($pid) with user-supplied values from request parameters using the following assignment pattern: $pid = $_REQUEST['pid'] ?? $pid and $pid = ($_REQUEST['hidden_patient_code'] ?? null) > 0 ? $_REQUEST['hidden_patient_code'] : $pid. This allows attackers to inject arbitrary patient identifiers, bypassing the intended access controls. The portal session already maintains a valid $pid for the logged-in patient, but this value is not enforced as authoritative.
Attack Vector
The attack is network-based and requires low-privilege authenticated access to the OpenEMR patient portal. An attacker who has legitimate portal credentials can exploit this vulnerability by:
- Authenticating to the OpenEMR patient portal with valid credentials
- Navigating to the payment functionality at portal/portal_payment.php
- Intercepting or modifying the request to substitute the pid or hidden_patient_code parameter with a different patient's ID
- Accessing the target patient's demographics, invoices, and payment history
The vulnerability can be exploited by manipulating HTTP request parameters to reference other patient records. For example, modifying the pid parameter in a GET or POST request to the payment portal allows an attacker to enumerate and access patient records systematically. Technical details and the specific fix can be found in the GitHub Security Advisory.
Detection Methods for CVE-2026-25147
Indicators of Compromise
- Unusual patterns of access to portal/portal_payment.php with varying pid or hidden_patient_code parameter values from the same authenticated session
- Multiple patient record accesses from a single user session within short time periods
- Web server logs showing parameter manipulation attempts on the payment portal endpoint
- Audit log entries indicating patient record access inconsistent with the authenticated user's identity
Detection Strategies
- Implement web application firewall (WAF) rules to detect parameter tampering on patient portal endpoints
- Deploy anomaly detection to identify users accessing multiple patient records outside normal workflow patterns
- Enable detailed application logging for patient record access events in OpenEMR
- Monitor for enumeration patterns where sequential or random patient IDs are being tested
Monitoring Recommendations
- Configure SIEM alerts for access patterns indicative of IDOR exploitation on healthcare portals
- Establish baseline access patterns for portal users and alert on deviations
- Implement real-time monitoring of patient portal authentication and authorization events
- Review OpenEMR audit logs regularly for unauthorized cross-patient data access
How to Mitigate CVE-2026-25147
Immediate Actions Required
- Upgrade OpenEMR installations to version 8.0.0 or later immediately
- Review audit logs for signs of exploitation prior to patching
- Conduct a security assessment to identify if patient data was accessed inappropriately
- Notify affected patients and regulatory bodies if unauthorized access is confirmed per HIPAA breach notification requirements
Patch Information
OpenEMR has released version 8.0.0 which contains the security fix for this vulnerability. The patch ensures that the patient portal uses only the authenticated session's patient identifier rather than accepting user-supplied values. The specific code changes can be reviewed in the GitHub commit. Organizations should apply this update through their standard change management process after appropriate testing in non-production environments.
Workarounds
- Temporarily disable access to portal/portal_payment.php until patching is completed
- Implement additional network-level access controls restricting patient portal access to known IP ranges
- Deploy a web application firewall rule to reject requests with modified pid or hidden_patient_code parameters
- Enable enhanced logging and monitoring while awaiting patch deployment
# Example: Restrict access to vulnerable endpoint via Apache configuration
# Add to OpenEMR virtual host configuration temporarily until patch is applied
<Location "/portal/portal_payment.php">
Order Deny,Allow
Deny from all
# Allow only from trusted administrative IPs if needed
# Allow from 192.168.1.0/24
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
