Description
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 have an information disclosure vulnerability that leaks the entire contact information for all users, organizations, and patients in the system to anyone who has the system/(Group,Patient,*).$export operation and system/Location.read capabilities. This vulnerability will impact OpenEMR versions since 2023. This disclosure will only occur in extremely high trust environments as it requires using a confidential client with secure key exchange that requires an administrator to enable and grant permission before the app can even be used. This will typically only occur in server-server communication across trusted clients that already have established legal agreements. Version 8.0.0 contains a patch. As a workaround, disable clients that have the vulnerable scopes and only allow clients that do not have the system/Location.read scope until a fix has been deployed.
Published: 2026-02-25
Score: 4.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Now
AI Analysis

Impact

OpenEMR versions prior to 8.0.0 expose the entire contact information for all users, organizations, and patients in the system to anyone who can use the system/(Group,Patient,*).$export operation along with system/Location.read capabilities, enabling a broad disclosure of personal data. The vulnerability leverages internal server‑to‑server communication that requires a confidential client, secure key exchange, and explicit administrative permission, ensuring that it only manifests in highly trusted environments with existing legal agreements. Consequently, the primary security impact is the loss of confidentiality regarding patient and user contact details.

Affected Systems

All openemr:openemr deployments running a version earlier than 8.0.0 are affected. The issue is mitigated in version 8.0.0 and later. Clients configured with the system/Location.read scope or the ability to trigger the Group.$export operation are subject to the disclosure.

Risk and Exploitability

The CVSS score is 4.5, indicating moderate complexity and impact. An EPSS score of less than 1% suggests a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires privileged access to confidential client setups, authenticated system/Location.read permissions, and an administrator who has enabled and granted the necessary scopes, likely restricting attackers to trusted internal or partner clients. Given these constraints, the risk is limited but non‑negligible in environments where such trusted clients exist.

Generated by OpenCVE AI on April 17, 2026 at 15:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenEMR version 8.0.0 or newer to receive the vendor fix.
  • Disable the system/Location.read scope on all existing client applications until the upgrade is complete.
  • Revoke any confidential client applications that are not strictly required, ensuring that only trusted applications retain the necessary permissions.

Generated by OpenCVE AI on April 17, 2026 at 15:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 have an information disclosure vulnerability that leaks the entire contact information for all users, organizations, and patients in the system to anyone who has the system/(Group,Patient,*).$export operation and system/Location.read capabilities. This vulnerability will impact OpenEMR versions since 2023. This disclosure will only occur in extremely high trust environments as it requires using a confidential client with secure key exchange that requires an administrator to enable and grant permission before the app can even be used. This will typically only occur in server-server communication across trusted clients that already have established legal agreements. Version 8.0.0 contains a patch. As a workaround, disable clients that have the vulnerable scopes and only allow clients that do not have the system/Location.read scope until a fix has been deployed.
Title OpenEMR's location resource for Group.$export operation returns entire patient/user population contact information
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T20:17:35.710Z

Reserved: 2026-01-29T14:03:42.540Z

Link: CVE-2026-25135

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T03:16:04.263

Modified: 2026-02-25T16:56:15.110

Link: CVE-2026-25135

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:45:15Z

Weaknesses