Unrated severityNVD Advisory· Published Feb 25, 2026· Updated Feb 26, 2026
OpenEMR's Printable LBF Endpoint Leaks Arbitrary Patient Forms
CVE-2026-25930
Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Layout-Based Form (LBF) printable view accepts formid and visitid (or patientid) from the request and does not verify that the form belongs to the current user’s authorized patient/encounter. An authenticated user with LBF access can enumerate form IDs and view or print any patient’s encounter forms. Version 8.0.0 fixes the issue.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/openemr/openemr/commit/8c76acdd226007cc4ff3eccd3ca6193e0be6e699mitrex_refsource_MISC
- github.com/openemr/openemr/security/advisories/GHSA-h3xx-8cp7-hf7mmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.