Description
OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically test username and password combinations without account lockout restrictions.
Published: 2026-05-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenEMR 7.0.1 allows attackers to bypass authentication rate limiting by repeatedly sending POST requests to the login endpoint, enabling systematic brute‑force testing of username and password combinations without account lockout. This vulnerability, classified as CWE‑307, provides attackers with a feasible path to compromise credentials and gain unauthorized access to the application. The impact is a direct breach of authentication controls, potentially resulting in full system access for the attacker.

Affected Systems

The vulnerability is present only in OpenEMR version 7.0.1. Users running this specific release are exposed, while later releases beginning with 7.0.2 do not contain the reported flaw.

Risk and Exploitability

The CVSS score of 8.7 signifies a high severity vulnerability that can be exploited over the network. With the loss of rate limiting and account lockout, attackers can launch automated credential‑guessing campaigns against the exposed login interface; the EPSS score is not available, but the lack of KEV listing does not diminish the risk of exploitation for publicly accessible deployments. Attackers require network access to the main login endpoint and the ability to submit repeated POST requests.

Generated by OpenCVE AI on May 5, 2026 at 12:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to the latest stable release that includes the brute‑force mitigation fix (for example, version 7.0.2 or newer).
  • If an upgrade is not immediately possible, enforce account lockout and throttle login attempts at the web server or reverse‑proxy layer (e.g., configure nginx limit_req or Apache mod_evasive).
  • Deploy multi‑factor authentication for all users and enforce strong, unique passwords; enable monitoring of repetitive failed login attempts and generate alerts.

Generated by OpenCVE AI on May 5, 2026 at 12:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically test username and password combinations without account lockout restrictions.
Title OpenEMR 7.0.1 Authentication Brute Force Mitigation Bypass
First Time appeared Open-emr
Open-emr openemr
Weaknesses CWE-307
CPEs cpe:2.3:a:open-emr:openemr:7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:open-emr:openemr:7.0.2.1:*:*:*:*:*:*:*
cpe:2.3:a:open-emr:openemr:7.0.2.2:*:*:*:*:*:*:*
cpe:2.3:a:open-emr:openemr:7.0.2.3:*:*:*:*:*:*:*
cpe:2.3:a:open-emr:openemr:7.0.3.1:*:*:*:*:*:*:*
cpe:2.3:a:open-emr:openemr:7.0.3.2:*:*:*:*:*:*:*
cpe:2.3:a:open-emr:openemr:7.0.3.3:*:*:*:*:*:*:*
cpe:2.3:a:open-emr:openemr:7.0.3.4:*:*:*:*:*:*:*
cpe:2.3:a:open-emr:openemr:7.0.3:*:*:*:*:*:*:*
cpe:2.3:a:open-emr:openemr:7.0.4:*:*:*:*:*:*:*
cpe:2.3:a:open-emr:openemr:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:open-emr:openemr:8.0.0:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Open-emr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-05T11:24:50.970Z

Reserved: 2026-01-10T01:51:52.985Z

Link: CVE-2023-54347

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T12:16:17.160

Modified: 2026-05-05T12:16:17.160

Link: CVE-2023-54347

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T14:30:25Z

Weaknesses