External risk intelligence

MphRx Minerva lets attackers take over accounts by changing user info

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-5779

An internal attacker can manipulate account settings in MphRx Minerva to modify another user's email address, allowing them to reset passwords and take over that account. This flaw puts sensitive user data at risk and could lead to unauthorized access to privileged accounts.

2Halo Surface Signal

Agilonhealth Minerva

3.6.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-5779

The vulnerability requires an authenticated session in MphRx Minerva, an enterprise application typically deployed within internal healthcare networks. While accessible via web protocols, it is not a public-facing service and is generally protected by internal access controls, making direct exposure to the public internet uncommon.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in MphRx's Minerva allows an authenticated user to change another user's profile details, like their email. This could lead to a full account takeover and compromise sensitive information.

  • Affects authenticated users.
  • Can lead to account takeover.
  • Impacts user data integrity.

Attack Path

How an attacker could exploit the issue

An authenticated user can abuse this IDOR to modify other users' profile information. They could change an email address and then use the password reset function to gain full account takeover.

  • Authenticated user access required.
  • Targets user profile update endpoint.
  • Account takeover is the goal.

Live Threat

Current exploitation, exposure, and threat context

This insecure direct object reference (IDOR) vulnerability allows authenticated users to modify other users' information and potentially take over their accounts. While this could lead to significant damage within an organization, attackers generally prefer vulnerabilities that do not require prior authentication, as they offer broader access.

  • Requires authenticated access.
  • Exploitation is manual or needs custom tool.
  • Target is enterprise software.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating or taking services offline if the MphRx Minerva V3.6.0 application is in use, as this IDOR vulnerability allows authenticated users to compromise other accounts. Teams should immediately investigate their asset inventory for instances of Minerva V3.6.0 and assess their exposure. If affected systems cannot be immediately patched or isolated, focus on stringent access controls and enhanced monitoring.

  • Identify and isolate affected Minerva instances.
  • Block or strictly limit access to the '/minerva/user/updateUserProfile' endpoint.
  • Monitor for unauthorized user profile modifications.

Frequently asked questions

What is MphRx Minerva and what is its function within healthcare organizations?

MphRx Minerva is an enterprise application used by healthcare organizations to manage user information and profiles. It includes features for updating user data and handling password resets.

What is CVE-2026-5779 and what type of weakness does it represent?

CVE-2026-5779 is a critical vulnerability classified as an Insecure Direct Object Reference (IDOR). This weakness allows an authenticated user to access and modify the data of other users through specific application endpoints.

How can an attacker exploit CVE-2026-5779 to gain account control?

An authenticated attacker can exploit this IDOR vulnerability by targeting the '/minerva/user/updateUserProfile' endpoint. By modifying another user's email and then initiating a password reset, an attacker can achieve full account takeover.

What is the relevance of CVE-2026-5779 according to the Halo Surface Signal?

The Halo Surface Signal indicates that CVE-2026-5779 is unlikely to be exploited externally because it requires an authenticated session within MphRx Minerva, an enterprise application typically protected by internal access controls and not a public-facing service.

What steps should be taken to address the MphRx Minerva vulnerability?

Organizations using MphRx Minerva V3.6.0 should prioritize isolating or taking affected services offline. If immediate patching or isolation isn't possible, focus on enforcing stringent access controls and enhancing monitoring for unauthorized user profile modifications.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified