CVE-2026-27943 Overview
OpenEMR is a free and open source electronic health records (EHR) and medical practice management application widely used in healthcare environments. In versions up to and including 8.0.0, the eye exam (eye_mag) view loads data by form_id (or equivalent) without verifying that the form belongs to the current user's patient/encounter context. This Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated user to access or edit any patient's eye exam records by supplying another form ID. In some flows, the session's active patient may also be switched, further compounding the unauthorized access risk.
Critical Impact
Authenticated attackers can access and potentially modify sensitive protected health information (PHI) of any patient in the OpenEMR system, creating significant HIPAA compliance violations and patient privacy breaches.
Affected Products
- OpenEMR versions up to and including 8.0.0
- OpenEMR Eye Exam (eye_mag) module
- Any deployment using the affected eye examination form functionality
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-27943 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27943
Vulnerability Analysis
This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key, commonly known as an Insecure Direct Object Reference (IDOR). The eye examination module in OpenEMR fails to implement proper authorization checks when loading patient form data. When a user accesses an eye exam form, the application retrieves the form based solely on the form_id parameter without validating that the requesting user has legitimate access to that specific patient's records.
The authorization bypass occurs because the application trusts user-supplied identifiers to access sensitive medical records. An authenticated user with access to the eye exam module can enumerate or guess form IDs to retrieve other patients' eye examination data, effectively bypassing the patient-encounter context that should restrict data access.
Root Cause
The root cause lies in the interface/forms/eye_mag/new.php file where the encounter and patient ID (pid) values are not properly validated against the session context. The original code used $_SESSION['encounter'] without proper guards, allowing scenarios where the encounter context could be missing or stale, enabling cross-patient data access. The application failed to enforce that the requested form belongs to the currently authenticated user's authorized patient scope.
Attack Vector
The attack requires network access and valid authentication to the OpenEMR system. An attacker with low-privilege authenticated access to the eye examination module can exploit this vulnerability by:
- Accessing the eye exam form interface
- Manipulating the form_id parameter in the request
- Supplying a different form ID belonging to another patient
- Viewing or modifying the unauthorized patient's eye examination data
The following patch demonstrates the security fix applied to address this vulnerability:
$group = $_SESSION['authProvider'];
}
-$encounter = !$_SESSION['encounter'] ? date("Ymd") : $_SESSION['encounter'];
+// $encounter is already in scope from globals.php / load_form.php.
+// Guard against missing encounter (the scenario that caused #10844):
+if (!isset($encounter) || (int) $encounter === 0) { // @phpstan-ignore cast.int ($encounter comes from global scope)
+ formHeader(xlt('Error'));
+ echo '<div class="alert alert-danger">' .
+ xlt('No active encounter. Please select or create an encounter first.') .
+ '</div>';
+ formFooter();
+ exit;
+}
+
+$encounterAttr = attr($encounter); // @phpstan-ignore argument.type ($encounter validated above)
$query = "select * from form_encounter where pid =? and encounter= ?";
$encounter_data = sqlQuery($query, [$pid,$encounter]);
Source: GitHub Commit Update
The fix ensures that a valid encounter context exists before proceeding with form data retrieval, and explicitly passes encounter and patient ID parameters in form URLs:
'isAdminSuper' => AclMain::aclCheckCore("admin", "super"),
'enableFollowUpEncounters' => $GLOBALS['enable_follow_up_encounters'],
'menuArray' => $menu->getMenuData(),
+ 'encounter' => (int) $encounter, // @phpstan-ignore cast.int ($encounter comes from global scope)
+ 'pid' => (int) $pid,
]);
?>
Source: GitHub Commit Update
Detection Methods for CVE-2026-27943
Indicators of Compromise
- Unusual access patterns to interface/forms/eye_mag/new.php with varying form_id parameters
- Sequential or enumerated form_id values in web server access logs
- Single user sessions accessing eye exam forms for multiple unrelated patients
- Audit log entries showing eye form access without corresponding patient chart access
Detection Strategies
- Implement web application firewall (WAF) rules to detect parameter tampering on form endpoints
- Configure audit logging to track all eye exam form accesses and correlate with authorized patient lists
- Deploy anomaly detection to identify users accessing forms outside their normal patient population
- Monitor for rapid sequential requests to eye exam endpoints with incrementing form IDs
Monitoring Recommendations
- Enable detailed access logging for all OpenEMR form modules, particularly eye_mag
- Implement real-time alerting for access to eye exam records without prior patient chart access
- Review audit trails regularly for unauthorized cross-patient data access patterns
- Configure SIEM integration to correlate OpenEMR access logs with user authorization levels
How to Mitigate CVE-2026-27943
Immediate Actions Required
- Update OpenEMR to the latest version from the main branch containing the security fix
- Review audit logs to identify any potential exploitation of this vulnerability
- Conduct a HIPAA breach assessment if unauthorized access to PHI is detected
- Temporarily restrict access to the eye exam module if immediate patching is not possible
- Notify compliance and security teams of the potential patient data exposure risk
Patch Information
A fix is available on the main branch of the OpenEMR GitHub repository. The security patch is documented in commit c87489bf63f2701b634d948279e104f2ed3df1c0. Organizations should update to the latest version that includes this fix. For detailed information about the vulnerability and patch, refer to the GitHub Security Advisory GHSA-q96x-qw99-6xq9.
Workarounds
- Implement network segmentation to limit access to the OpenEMR application
- Restrict user permissions for the eye exam module to only essential personnel
- Deploy application-level access controls to enforce patient-provider relationships
- Enable comprehensive audit logging to detect potential abuse while awaiting patch deployment
# Review Apache access logs for potential exploitation attempts
grep "eye_mag/new.php" /var/log/apache2/access.log | awk '{print $1, $7}' | sort | uniq -c | sort -rn
# Check for multiple form_id accesses from single IP addresses
grep "form_id=" /var/log/apache2/access.log | grep "eye_mag" | cut -d' ' -f1 | sort | uniq -c | sort -rn | head -20
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
