The vulnerability lies in the DICOM viewer state API, where an authenticated user can provide a document ID without the system verifying that the document belongs to that user's authorized patient or encounter. As a result, the user can view or alter the viewer state—such as annotations and view settings—for any DICOM document in the system. This missing authorization check enables a potential breach of patient privacy and could lead to misrepresentation of imaging data if an attacker changes annotations or viewing parameters. The weakness corresponds to CWE‑639. The impact is limited to data and settings associated with the viewer state, but misuse could still expose sensitive patient information or disrupt correct clinical interpretation.

The flaw affects all OpenEMR installations running a version older than 8.0.0. The products listed by the CNA are OpenEMR, a free and open source electronic health records system. No specific version numbers are listed beyond the statement that 8.0.0 and later contain a fix.

The CVSS score of 7.1 indicates a medium severity vulnerability. The EPSS score of less than 1% suggests that the likelihood of exploitation is low at this time, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers must first authenticate to the system, which is typically performed remotely by gaining user credentials. From that position, enumeration of document IDs allows abuse of the vulnerable API endpoints. Because the API lacks authorization checks, any authenticated user can read or modify state for any document, making the attack path straightforward once credentials are obtained. Overall risk is moderate, driven primarily by the requirement of valid authentication and the low exploitation probability reported.