CVE-2026-12207

Vulnerability

An Insecure Direct Object Reference (IDOR) vulnerability exists in the Medkey open-source platform, affecting the function actionGetPatientById in the file app\modules\medical\port\rest\controllers\PatientController.php of the HTTP REST API component. The vulnerability impacts versions up to commit fc09b7ba9441ff590b72d428d5380834216b09ed. The function directly queries and returns patient records based solely on the user-supplied $id parameter without verifying that the authenticated session token belongs to the requested patient or an authorized medical professional. The parent class app\common\rest\ActiveController also lacks global row-level or object-level access validation wrappers, making any authenticated user able to access any patient record by modifying the id query parameter [1].

Exploitation

An attacker must have an authenticated session token for the REST API. The attacker can then send HTTP GET requests to the endpoint that calls actionGetPatientById and simply change the id parameter (e.g., from id=1 to id=2) to retrieve records of different patients without authorization. The exploit is publicly available and code fragments have been released [1].

Impact

Successful exploitation leads to unauthorized exfiltration of Protected Health Information (PHI), including sensitive medical history data, patient names, and active medical insurance policy details. This constitutes a high-impact disclosure of confidential patient data and a violation of healthcare data privacy regulations [1].

Mitigation

The vendor was contacted but did not respond, and as of the publication date no fix or advisory has been released. The product uses a rolling release system, so version information for patches is not disclosed. Users should isolate the REST API endpoint from untrusted networks and implement additional access controls, such as validating that the authenticated user has permission to access the requested patient record. No official workaround is available [1].