Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the FHIR CareTeam resource endpoint allows patient-scoped FHIR tokens to access care team data for all patients instead of being restricted to only the authenticated patient's data. This could potentially lead to unauthorized disclosure of Protected Health Information (PHI), including patient-provider relationships and care team structures across the entire system. The issue occurs because the `FhirCareTeamService` does not implement the `IPatientCompartmentResourceService` interface and does not pass the patient binding parameter to the underlying service, bypassing the patient compartment filtering mechanism. Version 8.0.0 contains a patch for this issue.
Published: 2026-02-25
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Disclosure of PHI
Action: Patch
AI Analysis

Impact

A patient‑scoped authorization bypass in the FHIR CareTeam resource endpoint allows an authenticated patient to retrieve care team information for all patients, potentially exposing protected health information such as patient‑provider relationships and care team structures. The flaw is rooted in the FhirCareTeamService missing the required IPatientCompartmentResourceService implementation, which bypasses the patient compartment filtering mechanism. This is a notable confidentiality breach, categorized under CWE‑200 and CWE‑863.

Affected Systems

The vulnerability affects OpenEMR deployments using versions prior to 8.0.0. Any installation running an older release exposes patient data across the entire system when accessed through the FHIR CareTeam endpoint.

Risk and Exploitability

The CVSS score of 5.7 indicates medium severity, and an EPSS score of less than 1% signals a very low yet nonzero probability of exploitation. Because the flaw is remote and only requires possession of a valid patient‑scoped FHIR token, an attacker can use standard network access to the server to read PHI, though the lack of KEV status and low EPSS suggest no confirmed exploits yet. The lack of an enforced compartment filter means the attack path is straightforward: authenticate as a patient and query the CareTeam resource, which returns data from all patients.

Generated by OpenCVE AI on April 17, 2026 at 15:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official OpenEMR update to version 8.0.0 or later, which contains the fix.
  • Reconfigure the FHIR CareTeam handler to enforce patient compartment filtering, ensuring the IPatientCompartmentResourceService interface is correctly implemented or by adding downstream validation that rejects requests for other patients.
  • Enable and monitor audit logging for all FHIR CareTeam requests to detect unauthorized access attempts and verify that only the authenticated patient's data is returned.

Generated by OpenCVE AI on April 17, 2026 at 15:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the FHIR CareTeam resource endpoint allows patient-scoped FHIR tokens to access care team data for all patients instead of being restricted to only the authenticated patient's data. This could potentially lead to unauthorized disclosure of Protected Health Information (PHI), including patient-provider relationships and care team structures across the entire system. The issue occurs because the `FhirCareTeamService` does not implement the `IPatientCompartmentResourceService` interface and does not pass the patient binding parameter to the underlying service, bypassing the patient compartment filtering mechanism. Version 8.0.0 contains a patch for this issue.
Title OpenEMR has FHIR Patient Compartment Bypass in CareTeam Resource
Weaknesses CWE-200
CWE-863
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:48:47.360Z

Reserved: 2026-01-23T00:38:20.548Z

Link: CVE-2026-24487

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T19:43:21.333

Modified: 2026-02-27T14:44:15.033

Link: CVE-2026-24487

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses