Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, OpenEMR contains a SQL injection vulnerability in the ajax graphs library that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the ajax graphs library. This vulnerability is fixed in 8.0.0.1.
Published: 2026-03-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing authenticated attackers to access or manipulate data
Action: Patch ASAP
AI Analysis

Impact

OpenEMR contains a CWE-89 SQL injection flaw in the ajax graphs library that permits an authenticated attacker to inject arbitrary SQL. The absence of proper input validation allows malicious queries to be executed against the database, potentially exposing sensitive patient information or altering records. The vulnerability is strictly limited to users who can authenticate to the system, so it does not grant unauthenticated access.

Affected Systems

The issue affects installations of the OpenEMR electronic health records application that are running any version older than 8.0.0.1. The fix was introduced in release 8.0.0.1, so systems not yet updated remain vulnerable.

Risk and Exploitability

The CVSS score of 8.8 designates the flaw as high severity, but the EPSS score of less than 1 % suggests that exploitation is currently unlikely to be widespread. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed public exploitation. Attackers need legitimate credentials to reach the Ajax graphs endpoint, so the attack vector involves authenticated users submitting malicious payloads to that endpoint. The high severity combined with the sensitive nature of medical data means that, if exploited, the potential impact remains significant.

Generated by OpenCVE AI on April 17, 2026 at 11:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0.1 or later.
  • Restrict or disable access to the ajax graphs functionality for accounts that do not need it.
  • Monitor application logs for unexpected SQL queries or anomalous activity on the Ajax graphs endpoint.

Generated by OpenCVE AI on April 17, 2026 at 11:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 11 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, OpenEMR contains a SQL injection vulnerability in the ajax graphs library that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the ajax graphs library. This vulnerability is fixed in 8.0.0.1.
Title SQL Injection Vulnerability in ajax graphs library (OpenEMR)
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T14:16:56.356Z

Reserved: 2026-03-10T22:19:36.545Z

Link: CVE-2026-32127

cve-icon Vulnrichment

Updated: 2026-03-12T14:16:52.598Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T21:16:18.900

Modified: 2026-03-13T15:44:50.763

Link: CVE-2026-32127

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses