CVE-2026-27943 - Vulnerability Analysis
MediumCVSS: 6.5Last Updated: February 27, 2026
OpenEMR - Broken Access Control
Published: February 26, 2026Updated: February 27, 2026PoC AvailableRemote Exploitable
Overview
OpenEMR <= 8.0.0 contains a broken access control vulnerability caused by lack of verification that form_id belongs to the current user's patient context in eye exam view, letting authenticated users access or edit any patient's eye exam, exploit requires authentication.
Severity & Score
Severity: Medium
CVSS Score: 6.5
Impact
Authenticated users can access or modify any patient's eye exam data, potentially leading to unauthorized data disclosure and modification.
Mitigation
Update to the fixed version available on the main branch of the OpenEMR GitHub repository or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-27943
- Severity
- Medium
- CVSS Score
- 6.5
- Type
- broken_access_control
- Status
- confirmed
CWE
- CWE-639
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N