Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the server does not properly validate user permission. Unauthorized users can view the information of authorized users. Version 8.0.0 fixes the issue.
Published: 2026-02-25
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data disclosure
Action: Patch Immediately
AI Analysis

Impact

OpenEMR fails to validate user permission in the Care Coordination Module, enabling unauthorized users to view data belonging to authorized users. This results in breached confidentiality of patient information and undermines the privacy guarantees required in healthcare settings.

Affected Systems

The vulnerability affects OpenEMR releases prior to version 8.0.0, distributed by the openemr project. Systems running any earlier build are susceptible, while version 8.0.0 and newer contain the fix.

Risk and Exploitability

The CVSS score of 7 indicates moderately high severity. The EPSS score of less than 1% suggests a relatively low probability of exploitation in the general population, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, with an attacker needing only authenticated access to the application to trigger the flaw; exploitation does not require privileged system access.

Generated by OpenCVE AI on April 17, 2026 at 15:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official OpenEMR 8.0.0 patch or later upgrade
  • Verify that the Care Coordination Module’s permission checks are enabled and enforce role-based access controls
  • Audit user accounts and reduce unnecessary privileges, ensuring the principle of least privilege is observed

Generated by OpenCVE AI on April 17, 2026 at 15:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Feb 2026 02:00:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the server does not properly validate user permission. Unauthorized users can view the information of authorized users. Version 8.0.0 fixes the issue.
Title OpenEMR has Broken Access Control on Care Coordination Module
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T20:44:14.545Z

Reserved: 2026-01-29T14:03:42.540Z

Link: CVE-2026-25127

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T02:16:22.820

Modified: 2026-02-25T16:01:07.580

Link: CVE-2026-25127

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:45:15Z

Weaknesses