Description
OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret value is rendered to the client in plaintext. These secret keys being leaked could result in arbitrary money movement or broad account takeover of payment gateway APIs. This vulnerability is fixed in 8.0.0.
Published: 2026-03-03
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Exposure of payment gateway API keys enabling potential financial theft
Action: Apply Patch
AI Analysis

Impact

OpenEMR versions 5.0.2 through 7.x leak the gateway_api_key directly into client‑side JavaScript. This key is a credential to the payment gateway and, if disclosed, an attacker could move funds or take over the merchant account. The vulnerability is catalogued as a Confidentiality breach (CWE‑200).

Affected Systems

The flaw affects the OpenEMR electronic health records application, specifically all releases from 5.0.2 up to, but not including, 8.0.0. Vendors and administrators should check the version of their OpenEMR deployment.

Risk and Exploitability

The CVSS score is 9.6, indicating critical severity. EPSS is reported as less than 1 %, suggesting a very low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is the web interface, where any user who can reach the payment pages receives the key in plaintext. An attacker simply needs to view the page source or capture the response to obtain the credential.

Generated by OpenCVE AI on April 16, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0 or later, where the key rendering bug is fixed.
  • Review and remove any custom code that may re‑expose the gateway_api_key in client‑side scripts.
  • Until the upgrade is completed, restrict access to payment gateway pages or temporarily disable payment functionality for unauthenticated users.

Generated by OpenCVE AI on April 16, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Tue, 03 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret value is rendered to the client in plaintext. These secret keys being leaked could result in arbitrary money movement or broad account takeover of payment gateway APIs. This vulnerability is fixed in 8.0.0.
Title OpenEMR's payments gateway_api_key secret rendered into client JS code
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-04T21:23:06.352Z

Reserved: 2026-01-29T15:39:11.821Z

Link: CVE-2026-25146

cve-icon Vulnrichment

Updated: 2026-03-04T21:22:59.220Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T22:16:28.603

Modified: 2026-03-04T21:56:00.543

Link: CVE-2026-25146

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:00:19Z

Weaknesses