CVE-2026-33931

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.3

Description OpenEMR is an electronic health records and medical practice management application. A flaw exists where an authenticated portal patient can access other patients' payment records, including invoice/billing data and payment card metadata, by manipulating the recid query parameter in the portal/portal payment.php file. This is due to an Insecure Direct Object Reference (IDOR) condition. The vulnerable parameter is recid.

Recommendations Update to version 8.0.0.3 or later.