This vulnerability exists in e-Sushrut due to improper authorization checks during resource access. An authenticated attacker could exploit this vulnerability by manipulating encoded parameters in the request URL to gain unauthorized access to patient accounts on the targeted system.
PUBLISHED5.2CWE-639
Broken Access Control Vulnerability in e-Sushrut HMIS
Problem type
Affected products
CDAC-Noida
e-Sushrut, Hospital Management Information System (HMIS)
Previous versions - AFFECTED
References
GitHub Security Advisories
GHSA-fvwx-ghwg-3rm3
This vulnerability exists in e-Sushrut due to improper authorization checks during resource...
https://github.com/advisories/GHSA-fvwx-ghwg-3rm3This vulnerability exists in e-Sushrut due to improper authorization checks during resource access. An authenticated attacker could exploit this vulnerability by manipulating encoded parameters in the request URL to gain unauthorized access to patient accounts on the targeted system.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-42516Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-42516",
"assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"assignerShortName": "CERT-In",
"dateUpdated": "2026-04-29T08:26:15.611Z",
"dateReserved": "2026-04-28T08:14:36.620Z",
"datePublished": "2026-04-29T08:26:15.611Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"shortName": "CERT-In",
"dateUpdated": "2026-04-29T08:26:15.611Z"
},
"title": "Broken Access Control Vulnerability in e-Sushrut HMIS",
"descriptions": [
{
"lang": "en",
"value": "This vulnerability exists in e-Sushrut due to improper authorization checks during resource access. An authenticated attacker could exploit this vulnerability by manipulating encoded parameters in the request URL to gain unauthorized access to patient accounts on the targeted system.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "This vulnerability exists in e-Sushrut due to improper authorization checks during resource access. An authenticated attacker could exploit this vulnerability by manipulating encoded parameters in the request URL to gain unauthorized access to patient accounts on the targeted system."
}
]
}
],
"affected": [
{
"vendor": "CDAC-Noida",
"product": "e-Sushrut, Hospital Management Information System (HMIS)",
"defaultStatus": "unaffected",
"versions": [
{
"version": "Previous versions",
"status": "affected",
"versionType": "custom"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"cweId": "CWE-639",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0207",
"tags": [
"third-party-advisory"
]
}
],
"impacts": [
{
"capecId": "CAPEC-566",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-566 Authorization Bypass Through Parameter Manipulation"
}
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"solutions": [
{
"lang": "en",
"value": "Contact C-DAC for upgrading e-Sushrut HMIS to latest version",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "Contact C-DAC for upgrading e-Sushrut HMIS to latest version"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This vulnerability is reported by Harsh Verma",
"type": "finder"
}
]
}
}
}