IDOR Vulnerability Exposes Sensitive Medical Documents in Polish E‑Health System

Overview

A recently uncovered IDOR (Insecure Direct Object Reference) vulnerability in Poland’s government-run e‑health platform, Internetowe Konto Pacjenta (IKP), exposed sensitive documents belonging to blood donors. The flaw enabled unauthorised access to PDF files containing personal and medical details by manipulating predictable identifiers within a URL. Although the incident affected a narrow subset of users, it still demonstrates the ongoing risks associated with access control misconfigurations in modern digital services.

Why the Issue Matters

IDOR vulnerabilities remain one of the most common weaknesses in web applications. Despite increased industry awareness, organisations frequently overlook fine-grained access control validation. When the systems in question handle medical information, the stakes are significantly higher. Even seemingly low-impact data—such as confirmation of blood donation—still falls under personal data protection frameworks and can expose individuals to privacy risks.

In this case, the documents accessible via the IKP portal included personal identifiers, dates of medical visits, and information linked to employment benefits. While not indicative of poor health, these data points constitute sensitive information under most data protection standards. The incident therefore highlights the importance of strong access control validation within national health infrastructures.

What Happened

The vulnerability was discovered by an IKP user who responsibly reported the issue. Two types of PDF documents were exposed through predictable URL identifiers:

• A certificate confirming a donor’s entitlement to a day off work, containing name, surname, national identification number, date of donation, and the medical facility involved.
• A cumulative summary of past donations, listing the quantity of blood or blood components donated, details of the issuing facility, issuance date, and personal data of both the donor and the authorised issuer.

These documents were accessible at a URL where the final six digits acted as a resource identifier. By incrementing or decrementing this ID, an attacker could retrieve files belonging to other donors. The pattern appeared sequential, allowing access to documents from both 2025 and 2026.

Timeline of the Incident

The vulnerability was reported on 7 January 2026. Immediate steps were taken the following day, with further communication continuing until the issue was confirmed as resolved on 14 January 2026. The rapid reaction from the responsible entity is encouraging, although the reporting user indicated that communication clarity could be improved—an important lesson for organisations handling vulnerability disclosures.

Analysis: Lessons for the Cybersecurity Community

This incident underscores key recurring themes in cybersecurity:

Predictable Identifiers

Sequential or guessable identifiers remain a major source of IDOR exposures. Industry best practice recommends the use of opaque and unpredictable tokens for any resource referencing.

Lack of Authorisation Checks

Applications must verify that any authenticated user attempting to retrieve a resource is authorised to do so. Relying solely on obscurity or hard-to-guess URLs is insufficient.

Importance of Disclosure Processes

The responsible handling of this vulnerability by the reporting user demonstrates the value of ethical research. At the same time, the experience highlights the necessity of clear, transparent communication from the organisation receiving the report.

Data Sensitivity in E‑Health Systems

Even ‘low-impact’ medical data must be treated as sensitive. National healthcare platforms face heightened expectations for security due to the volume and importance of the data they manage.

Conclusion

The IDOR vulnerability within IKP provides another reminder that even mature government platforms can suffer from basic access control issues. While the immediate risk was limited to a subset of users, the exposure of medical and personal information reinforces the need for rigorous security validation and better communication between organisations and security researchers. What do you think? Let me know in the comments.