Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
OpenEMR Patient Payment Data Accessible to Wrong Accounts
CVE-2026-33931
Summary
OpenEMR's patient payment portal allowed anyone with an account to see payment records for other patients, including sensitive financial and personal data, by manipulating a specific query. This has been fixed in version 8.0.0.3. To protect your patient data, update to the latest version of OpenEMR.
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the pa...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the patient portal payment page allows any authenticated portal patient to access other patients' payment records — including invoice/billing data (PHI) and payment card metadata — by manipulating the `recid` query parameter in `portal/portal_payment.php`. Version 8.0.0.3 patches the issue.
nvd CVSS3.1
6.5
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 26 Mar 2026 · Updated: 26 Mar 2026 · First seen: 26 Mar 2026