CVE-2021-40375
Description
Apperta Foundation OpenEyes 3.5.1 allows remote attackers to view the sensitive information of patients without having the intended level of privilege. Despite OpenEyes returning a Forbidden error message, the contents of a patient's profile are still returned in the server response. This response can be read in an intercepting proxy or by viewing the page source. Sensitive information returned in responses includes patient PII and medication records or history.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenEyes 3.5.1 fails to enforce access control on patient profiles, returning sensitive data in the server response even when a 'Forbidden' error is displayed.
Vulnerability
OpenEyes 3.5.1, developed by the Apperta Foundation, contains an improper access control vulnerability in patient profile views. When a low-privileged user accesses a patient profile URL, the application displays a 'Forbidden' error page, but the server response still includes the full patient data. This affects all patient profile endpoints in version 3.5.1 [1][2].
Exploitation
An attacker with a low-privileged account can obtain a direct URL to a patient profile (e.g., by observing a privileged user's browser history or by guessing URLs). After logging in with the low-privileged account and navigating to that URL, the attacker sees a 'Forbidden' message, but can view the page source or intercept the HTTP response to retrieve the patient's sensitive information [2].
Impact
Successful exploitation discloses sensitive patient personally identifiable information (PII) such as date of birth, NHS number, and address, as well as extensive medical records including medication plans, prescription information, past appointments, current medical problems, and past procedures. This breach of confidentiality can lead to privacy violations and regulatory non-compliance [2].
Mitigation
As of the publication date (2022-04-06), no official patch has been released. Users of OpenEyes 3.5.1 should restrict access to patient profile URLs through network controls or implement additional authentication checks. The vendor (Apperta Foundation) has not yet provided a fixed version; monitoring the OpenEyes repository for updates is recommended [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Apperta Foundation/OpenEyesdescription
- Range: <=3.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- openeyes.apperta.orgmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.