{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33931", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.102Z", "datePublished": "2026-03-25T23:36:48.165Z", "dateUpdated": "2026-03-25T23:36:48.165Z"}, "containers": {"cna": {"title": "OpenEMR has IDOR in Portal Payment Page that Allows Cross-Patient Record Access", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-hf37-5rp9-j27j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-hf37-5rp9-j27j"}, {"name": "https://github.com/openemr/openemr/commit/7bf30e0ec5587f80c19094d58df09d46ac328806", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/7bf30e0ec5587f80c19094d58df09d46ac328806"}, {"name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T23:36:48.165Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the patient portal payment page allows any authenticated portal patient to access other patients' payment records \u2014 including invoice/billing data (PHI) and payment card metadata \u2014 by manipulating the `recid` query parameter in `portal/portal_payment.php`. Version 8.0.0.3 patches the issue."}], "source": {"advisory": "GHSA-hf37-5rp9-j27j", "discovery": "UNKNOWN"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809", "versionEndExcluding": "8.0.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the patient portal payment page allows any authenticated portal patient to access other patients' payment records \u2014 including invoice/billing data (PHI) and payment card metadata \u2014 by manipulating the `recid` query parameter in `portal/portal_payment.php`. Version 8.0.0.3 patches the issue."}], "id": "CVE-2026-33931", "lastModified": "2026-03-26T16:29:06.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T00:16:39.787", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/7bf30e0ec5587f80c19094d58df09d46ac328806"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-hf37-5rp9-j27j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-26T00:52:22.591251+00:00", "value": {"mitigation_remediation": ["Upgrade to OpenEMR version 8.0.0.3 or later and verify the fix is applied", "Ensure that all other installations are updated and no older unsupported versions remain in use", "Verify access controls on the public payment portal and monitor for suspicious payment record requests"], "summary": {"action": "Immediate Patch", "impact": "Patient data disclosure"}, "threat_synthesis": {"affected_systems": "OpenEMR openemr software is affected. All installations running versions earlier than 8.0.0.3 are vulnerable. Versions 8.0.0.3 and later contain the fix.", "description_and_impact": "The flaw is an insecure direct object reference in the patient portal payment page that allows any authenticated portal patient to retrieve other patients' payment records by changing a query parameter. An attacker can view personally identifying information, billing details, and payment card metadata belonging to other patients. The weakness allows unauthorized read access to protected health information, and potentially payment fraud or data misuse.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.5, indicating medium severity. Exploitation requires the attacker to be an authenticated patient of the portal and to manipulate the recid query parameter. No enterprise\u2011wide exploitation tools are documented, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers could stage the exploit by simply requesting a URL such as portal/portal_payment.php?recid=123 and tracing another patient\u2019s data. Because the vector is in the web application layer and does not require elevated privileges, the likelihood of exploitation in practice depends on the attribution of patient accounts, but the potential impact on confidentiality is significant."}}}}, "created": "2026-03-26T11:31:08.503953+00:00", "updated": "2026-03-26T12:09:11.029781+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}