Attack Vectors

CVE-2026-2991 is a High-severity authentication bypass vulnerability (CVSS 7.3) affecting the KiviCare – Clinic & Patient Management System (EHR) WordPress plugin (kivicare-clinic-management-system) in versions up to and including 4.1.2.

An unauthenticated attacker can target the plugin’s social login flow and submit a victim patient’s email address along with an arbitrary social provider access token value. Because the token is not properly validated, the attacker may be able to log in as that patient without knowing a password or completing any normal verification step.

This makes the attack feasible remotely over the internet and does not require user interaction, which increases the likelihood of automated scanning and exploitation.

Security Weakness

The weakness is in how KiviCare handles social authentication in the patientSocialLogin() function. Specifically, the function does not verify the social provider access token before authenticating a user.

As a result, the system can treat an unverified (or completely fake) token as sufficient proof of identity. In practical terms, possession of a patient’s email address may be enough to impersonate that patient and bypass credential checks.

Remediation: Update KiviCare to version 4.1.3 or a newer patched release.

Technical or Business Impacts

If exploited, attackers can gain patient-level access within KiviCare, which may expose sensitive healthcare information such as medical records, appointments, and prescriptions. Even if the access is “only” at the patient role, this can still constitute a serious privacy incident involving protected health information (PHI) or other regulated data.

Business risks include:

Regulatory and legal exposure: Unauthorized access to patient data can trigger breach notification obligations and potential penalties depending on your jurisdiction and contractual commitments (e.g., HIPAA-related obligations, GDPR/UK GDPR considerations, or local health privacy rules).

Operational disruption: Attackers may alter appointments, interfere with patient communications, or create support and clinical workflow disruptions that impact revenue and service delivery.

Loss of trust and brand damage: Healthcare data incidents often carry disproportionate reputational harm, affecting patient retention, partner relationships, and referral networks.

Incident response costs: Forensics, legal review, patient communications, and additional security controls can create unplanned spend and management distraction.

Similar Attacks

Authentication bypass and account takeover issues frequently stem from weaknesses in identity verification flows (such as password reset, SSO, or token validation). Examples include:

GitLab critical account takeover via password reset (CVE-2023-7028) — a real-world example where flaws in an authentication-adjacent workflow enabled attackers to take over accounts.

Okta Security Incident Updates (2023) — highlights how weaknesses around identity artifacts (tokens/sessions/support access) can lead to unauthorized access and downstream data exposure.