Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Immunization module allows any authenticated user to execute arbitrary SQL queries, leading to complete database compromise, PHI exfiltration, credential theft, and potential remote code execution. The vulnerability exists because user-supplied `patient_id` values are directly concatenated into SQL WHERE clauses without parameterization or escaping. Version 8.0.0 patches the issue.
Published: 2026-02-25
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise
Action: Patch
AI Analysis

Impact

OpenEMR's Immunization Search/Report accepts a patient_id parameter that is directly concatenated into a SQL WHERE clause. Because no parameterization or escaping is performed, any authenticated user can append arbitrary SQL code. The vulnerability enables complete database compromise, exposing protected health information, user credentials, and, in some configurations, can lead to remote code execution.

Affected Systems

The flaw exists in the OpenEMR application, affecting all installations running any version prior to 8.0.0.

Risk and Exploitability

The vulnerability carries a CVSS v3.1 score of 7.4 and an EPSS of less than 1 %, indicating a low current exploitation probability but not negligible. It is not listed in the CISA KEV catalog. The likely attack vector requires authentication to the web interface; an attacker can craft a malicious patient_id value in the query string or form submission to trigger the injection. Successful exploitation can read or modify the entire database, exfiltrate PHI, steal credentials, and potentially execute code if the database credentials are high privilege.

Generated by OpenCVE AI on April 17, 2026 at 15:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0 or later where the vulnerability is fixed.
  • If an upgrade is delayed, restrict or remove access to the Immunization Search/Report functionality for nontrusted users.
  • Implement input sanitization on the patient_id parameter, rejecting non‑numeric values or using prepared statements to prevent concatenation.

Generated by OpenCVE AI on April 17, 2026 at 15:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Immunization module allows any authenticated user to execute arbitrary SQL queries, leading to complete database compromise, PHI exfiltration, credential theft, and potential remote code execution. The vulnerability exists because user-supplied `patient_id` values are directly concatenated into SQL WHERE clauses without parameterization or escaping. Version 8.0.0 patches the issue.
Title OpenEMR has SQL Injection in Immunization Search/Report
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:58:11.023Z

Reserved: 2026-01-14T16:08:37.482Z

Link: CVE-2026-23627

cve-icon Vulnrichment

Updated: 2026-02-26T20:58:06.068Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T19:43:21.010

Modified: 2026-02-27T14:51:47.317

Link: CVE-2026-23627

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses