Main Vulnerability Database Vulnerabilities #VU127292

Authorization bypass through user-controlled key in OpenEMR - CVE-2026-27943

Published: April 23, 2026

Vulnerability identifier: #VU127292

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-27943

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to authorization bypass through a user-controlled key in interface/forms/eye_mag/view.php when handling a user-supplied form_id parameter. A remote user can supply another patient's form ID to disclose sensitive information.

The issue affects the eye exam view path and may switch the active patient in the session in some flows.

How to mitigate CVE-2026-27943

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-q96x-qw99-6xq9

Authorization bypass through user-controlled key in OpenEMR - CVE-2026-27943

Detailed vulnerability description

How to mitigate CVE-2026-27943

Sources

Please verify you're human