Improper Resource Control in medkey HTTP REST API by medkey-org
CVE-2026-12207

5.3MEDIUM

Key Information:

Vendor: Medkey-org
Status: Medkey
Vendor: CVE Published:; 15 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-12207?

A security flaw has been identified in the medkey HTTP REST API, particularly in the function actionGetPatientById within the PatientController.php file. This vulnerability allows for improper control of resource identifiers by manipulating the argument ID. Such exploitation can be executed remotely, posing a significant threat as it was publicly disclosed. The product is continuously updated via a rolling release system, meaning specific version details for affected releases remain undisclosed. Despite early notification efforts, the vendor has not provided a response regarding this vulnerability.

Affected Version(s)

medkey fc09b7ba9441ff590b72d428d5380834216b09ed

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-12207 - Proof of Concept

References

https://vuldb.com/vuln/370849

vdb-entrytechnical-description

https://vuldb.com/vuln/370849/cti

signaturepermissions-required

https://vuldb.com/cve/CVE-2026-12207

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 15, 2026
👾
Exploit known to exist
Jun 15, 2026
Vulnerability published
Jun 15, 2026
Vulnerability Reserved
Jun 14, 2026

Credit

onyxglitch (VulDB User)

VulDB CNA Team

CVE-2026-12207 Data

JSON

Medkey-org

Badges

What is CVE-2026-12207?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit