CVE-2026-12207
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
A security flaw has been discovered in the HTTP REST API component of medkey-org medkey (up to fc09b7ba9441ff590b72d428d5380834216b09ed). The function actionGetPatientById in PatientController.php is affected, where manipulation of the ID argument leads to improper control of resource identifiers, enabling remote attacks. The exploit has been publicly released and may be used in attacks.
Risk Assessment
The organization is at risk of unauthorized access to patient data through ID manipulation in API requests, potentially leading to leakage of sensitive medical information.
Recommendation
Immediately update medkey to the latest available version (the vendor uses a rolling release system) and implement validation and authorization mechanisms for the ID parameter in REST API endpoints.
Original NVD description (English source)
A security flaw has been discovered in medkey-org medkey up to fc09b7ba9441ff590b72d428d5380834216b09ed. Impacted is the function actionGetPatientById of the file app\modules\medical\port\rest\controllers\PatientController.php of the component HTTP REST API. The manipulation of the argument ID results in improper control of resource identifiers. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.

