Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
OpenEMR: Unauthorized Access to Patient Data in Eye Exam View
CVE-2026-27943
Summary
OpenEMR's eye exam view in versions up to 8.0.0 allows anyone with an account to access and edit other patients' eye exam data without permission. This could lead to sensitive medical information being shared or altered. To fix this, update to the latest version from the OpenEMR GitHub repository.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| open-emr | openemr | <= 8.0.0 | – |
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam (eye_mag) view loads data by `form_id` (...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam (eye_mag) view loads data by `form_id` (or equivalent) without verifying that the form belongs to the current user’s patient/encounter context. An authenticated user can access or edit any patient’s eye exam by supplying another form ID; in some flows the session’s active patient may also be switched. A fix is available on the `main` branch of the OpenEMR GitHub repository.
nvd CVSS3.1
6.5
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026