CVE-2026-5781 Agilonhealth CVE debrief

Who should care

Healthcare organizations using MphRx Minerva V3.6.0 for patient data management; security teams responsible for healthcare application security; compliance officers overseeing HIPAA and healthcare data protection requirements

Technical summary

The '/minerva/moUser/update' endpoint in Minerva V3.6.0 fails to properly validate that the authenticated user is authorized to modify the account specified by the 'identifier' parameter. An authenticated user with user modification privileges can submit an HTTP request with a manipulated 'identifier' value corresponding to an administrative account, thereby gaining administrator privileges. The vulnerability is not exposed through the GUI, requiring attackers to craft direct HTTP requests.

Defensive priority

HIGH

Recommended defensive actions

• Review and restrict access to the '/minerva/moUser/update' endpoint to administrative roles only
• Implement server-side validation to ensure users can only modify their own account identifiers unless explicitly authorized
• Deploy additional authorization checks that verify the requesting user's privileges match the intended operation scope
• Monitor HTTP request logs for anomalous 'identifier' field modifications in user update requests
• Apply vendor patches when available from Agilon Health/MphRx
• Conduct access control audits to identify any accounts that may have been improperly escalated

Evidence notes

CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and no user interaction needed. The vulnerability affects confidentiality, integrity, and availability at the system level (SC:H/SI:H/SA:H). CPE confirms Agilon Health Minerva version 3.6.0 as vulnerable. CWE-285 (Improper Authorization) is the identified weakness type.

Official resources