CVE-2026-25147

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0

Description OpenEMR is an electronic health records and medical practice management application. Prior to version 8.0.0, the patient ID used in portal/portal payment.php is obtained from the request ($pid = $ REQUEST['pid'] ?? $pid and $pid = ($ REQUEST['hidden patient code'] ?? null) > 0 ? $ REQUEST['hidden patient code'] : $pid) instead of being fixed to the authenticated portal user. This allows a portal user to view and interact with another patient's demographics, invoices, and payment history, resulting in horizontal privilege escalation and IDOR (Insecure Direct Object Reference). The vulnerable parameter is pid and hidden patient code.

Recommendations Update to version 8.0.0 or later.