Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in `apis/routes/_rest_routes_standard.inc.php` does not call `RestConfig::request_authorization_check()` for the document and insurance routes. Other patient routes in the same file (e.g. encounters, patients/med) call it with the appropriate ACL. As a result, any valid API bearer token can access or modify every patient's documents and insurance data, regardless of the token’s OpenEMR ACLs—effectively exposing all document and insurance PHI to any authenticated API client. Version 8.0.0 patches the issue.
Published: 2026-02-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access and modification of PHI via the REST API
Action: Patch Now
AI Analysis

Impact

OpenEMR, prior to version 8.0.0, exposes all patient documents and insurance data through its REST API because the endpoints skip mandatory authorization checks. Any authenticated bearer token can read or modify this data, which means a malicious or compromised client could retrieve or alter protected health information without consent. This flaw gives attackers a direct path to PHI confidentiality breaches and potential integrity violations.

Affected Systems

The flaw affects the OpenEMR openemr product in all releases older than 8.0.0. The patch was applied in version 8.0.0, so any deployment of 7.9.x or earlier is vulnerable.

Risk and Exploitability

The CVSS base score of 8.1 indicates a high severity, and the current EPSS score of less than 1 % suggests that exploit attempts are extremely rare at present. The vulnerability is not in the CISA KEV list. Exploitation requires only a valid API bearer token, making it remotely actionable over the internet. Because any authenticated user can abuse the endpoints regardless of ACLs, attackers could achieve wide‑scale PHI exposure or tampering with minimal effort.

Generated by OpenCVE AI on April 17, 2026 at 15:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0 or later, which restores proper ACL checks for document and insurance endpoints.
  • Verify that RestConfig::request_authorization_check() is invoked for the document and insurance routes by inspecting the routes file or reviewing the applied code changes.
  • If an immediate upgrade is not possible, restrict API traffic to trusted users only and enforce ACL checks manually or via middleware to block unauthorized access to the document and insurance endpoints.

Generated by OpenCVE AI on April 17, 2026 at 15:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in `apis/routes/_rest_routes_standard.inc.php` does not call `RestConfig::request_authorization_check()` for the document and insurance routes. Other patient routes in the same file (e.g. encounters, patients/med) call it with the appropriate ACL. As a result, any valid API bearer token can access or modify every patient's documents and insurance data, regardless of the token’s OpenEMR ACLs—effectively exposing all document and insurance PHI to any authenticated API client. Version 8.0.0 patches the issue.
Title OpenEMR's Document and Insurance REST Endpoints Skip ACL
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T16:13:42.534Z

Reserved: 2026-01-29T15:39:11.823Z

Link: CVE-2026-25164

cve-icon Vulnrichment

Updated: 2026-02-26T16:13:26.672Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T19:43:21.827

Modified: 2026-02-27T14:41:30.330

Link: CVE-2026-25164

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses