Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the encounter vitals API accepts an `id` in the request body and treats it as an UPDATE. There is no verification that the vital belongs to the current patient or encounter. An authenticated user with encounters/notes permission can overwrite any patient's vitals by supplying another patient's vital `id`, leading to medical record tampering. Version 8.0.0.2 fixes the issue.
Published: 2026-03-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Medical Record Tampering
Action: Immediate Patch
AI Analysis

Impact

The OpenEMR encounter vitals API accepts an "id" value in a POST request and treats it as an UPDATE operation without verifying that the vital record belongs to the current patient or encounter. An authenticated user who has permission to manage encounters or notes can supply the id of another patient's vital record, causing that record to be overwritten. This permits active tampering of medical data, undermining the integrity of health records and potentially leading to incorrect clinical decisions. The weakness corresponds to CWE‑639, a form of untrusted data manipulation that can yield logical errors and data corruption.

Affected Systems

The flaw exists in the OpenEMR application for all releases before version 8.0.0.2. The vendor, OpenEMR, released a fix in release 8.0.0.2 that removes the unchecked update path. Any environment running OpenEMR older than 8.0.0.2 and where users possess encounters/notes permissions is potentially affected.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity potential, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a valid user account with the appropriate permissions, and the attack is performed over the web interface, so it is a remote, authenticated request. The impact is confined to the data of the victim’s records but can be significant within a care setting. Monitoring of unusual overwrite attempts and limiting permission sets can reduce the exploitation window.

Generated by OpenCVE AI on March 20, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the OpenEMR security update to version 8.0.0.2 or later
  • If an immediate update is not possible, remove the encounters/notes permission from all non‑administrative users or enforce a role‑based policy that restricts overwrite capability
  • Audit audit logs for unexpected vital record updates and investigate any anomalies
  • Verify that the deployed version matches the patched release and that the API no longer accepts arbitrary ids

Generated by OpenCVE AI on March 20, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Thu, 19 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the encounter vitals API accepts an `id` in the request body and treats it as an UPDATE. There is no verification that the vital belongs to the current patient or encounter. An authenticated user with encounters/notes permission can overwrite any patient's vitals by supplying another patient's vital `id`, leading to medical record tampering. Version 8.0.0.2 fixes the issue.
Title OpenEMR: POST /api/.../vital Accepts Attacker-Supplied id and Overwrites Arbitrary Vitals
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T20:32:14.407Z

Reserved: 2026-02-05T16:48:00.428Z

Link: CVE-2026-25744

cve-icon Vulnrichment

Updated: 2026-03-19T20:32:08.406Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T20:16:13.480

Modified: 2026-03-20T17:19:12.720

Link: CVE-2026-25744

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:55:14Z

Weaknesses