PatchSiren cyber security CVE debrief
CVE-2026-12207 medkey-org CVE debrief
CVE-2026-12207 is an improper control of resource identifiers vulnerability in Medkey up to fc09b7ba9441ff590b72d428d5380834216b09ed. The vulnerability affects the function actionGetPatientById of the file app/modules/medical/port/rest/controllers/PatientController.php of the component HTTP REST API. The manipulation of the argument ID results in improper control of resource identifiers. The attack may be performed from remote.
- Vendor
- medkey-org
- Product
- medkey
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
This vulnerability may affect users of Medkey up to fc09b7ba9441ff590b72d428d5380834216b09ed. The vendor utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed.
Technical summary
The vulnerability has a CVSS score of 2.1 and a CVSS severity of LOW. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
The defensive priority for this vulnerability is LOW.
Recommended defensive actions
- Users of Medkey up to fc09b7ba9441ff590b72d428d5380834216b09ed should consider upgrading to a patched version, if available.
- Users should monitor the vendor's website for updates on patched versions.
Evidence notes
The vendor was contacted early about this disclosure but did not respond in any way. The exploit has been released to the public and may be used for attacks.
Official resources
CVE-2026-12207 was published on 2026-06-15T02:16:12.653Z and has not been modified since then.