SB20260423162 - Multiple vulnerabilities in OpenEMR
Published: April 23, 2026 Updated: April 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 26 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2025-69231)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in a victim's browser and escalate privileges.
The vulnerability exists due to cross-site scripting in interface/forms/gad7/view.php when rendering stored GAD-7 form values into JavaScript code. A remote user can inject malicious JavaScript into form fields to execute arbitrary script in a victim's browser and escalate privileges.
User interaction is required, and the victim must click the Edit button on a compromised GAD-7 form. Only instances with the GAD-7 form enabled are vulnerable.
2) Open redirect (CVE-ID: CVE-2026-24847)
CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to redirect users to an arbitrary external site.
The vulnerability exists due to url redirection to an untrusted site in interface/forms/eye_mag/view.php when handling a user-supplied url parameter. A remote attacker can send a crafted link to redirect users to an arbitrary external site.
User interaction is required, and exploitation can be used in phishing attacks.
3) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-21443)
CWE-ID: CWE-116 - Improper Encoding or Escaping of Output
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script code in a user's browser.
The vulnerability exists due to improper encoding or escaping of output in the xl() translation function output and related translation wrappers when rendering translation strings in HTML, XML, or JavaScript contexts without proper escaping. A remote user can insert malicious content into the translation database to execute arbitrary script code in a user's browser.
Exploitation requires the ability to modify translation table contents in the database.
4) Improper access control (CVE-ID: CVE-2026-25135)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the Location resource for the Group.$export operation when handling export requests with system/(Group,Patient,*).$export and system/Location.read capabilities. A remote privileged user can use a confidential client configured with those permissions to disclose sensitive information.
User interaction is required, and exploitation occurs only when an administrator has enabled and granted permission to the confidential client with secure key exchange.
5) Improper access control (CVE-ID: CVE-2026-25127)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the Care Coordination module endpoint when handling requests to the encountermanager URL. A remote user can send a crafted request with a valid low-privileged session cookie to disclose sensitive information.
The issue affects access to data that should be restricted by the configured access control list for the module.
6) Improper access control (CVE-ID: CVE-2026-25124)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in interface/reports/message_list.php when handling CSV export requests. A remote user can send a crafted POST request with form_csvexport=true to disclose sensitive information.
The issue affects the report export functionality for the message list and can expose patient and user message data.
7) Improper access control (CVE-ID: CVE-2026-25131)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to view, add, modify, and delete procedure types.
The vulnerability exists due to improper access control in the /openemr/interface/orders/types_edit.php endpoint when handling requests to manage procedures configuration. A remote user can send crafted requests to view, create, update, or delete procedure type entries to view, add, modify, and delete procedure types.
The issue affects the order types management system, and no user interaction is required.
8) Improper access control (CVE-ID: CVE-2026-24896)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the edih_main.php endpoint and EDI log viewing functionality when handling crafted GET requests with the log_select parameter. A remote user can send a specially crafted request to disclose sensitive information.
The issue allows authenticated low-privilege roles, such as receptionist, to access EDI log files outside the intended GUI-enforced permission boundaries.
9) Cross-site scripting (CVE-ID: CVE-2026-25743)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in another user's browser.
The vulnerability exists due to cross-site scripting in the questionnaire answer display function when rendering stored form answers on patient encounter pages or visit history. A remote privileged user can submit a crafted questionnaire answer to execute arbitrary JavaScript in another user's browser.
User interaction is required when a user with the relevant form role views the affected patient encounter page or visit history.
10) SQL injection (CVE-ID: CVE-2026-25746)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information, modify database contents, or cause a denial of service.
The vulnerability exists due to SQL injection in the prescription listing functionality when handling the user-supplied sort parameter. A remote user can send a specially crafted request to disclose sensitive information, modify database contents, or cause a denial of service.
The issue affects the prescription controller path and requires the standard patients rx ACL permission.
11) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-25927)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information and modify DICOM viewer state.
The vulnerability exists due to authorization bypass through a user-controlled key in the DICOM viewer state API in controllers/C_Document.class.php when handling requests with a supplied doc_id. A remote user can send a crafted request with another patient's document ID to disclose sensitive information and modify DICOM viewer state.
The issue affects read and write operations for viewer state, including annotations and view settings, and may expose PHI and imaging metadata.
12) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-25929)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the document controller patient_picture context when handling requests with a user-supplied patient_id. A remote user can send a crafted request with another patient's ID to disclose sensitive information.
The issue affects retrieval of patient photos associated with other patient records.
13) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-25930)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in interface/forms/LBF/printable.php when handling requests with user-supplied formid, visitid, and patientid values. A remote user can send a specially crafted request to disclose sensitive information.
The issue affects the printable view for layout-based forms and allows enumeration of form identifiers to access other patients' encounter forms.
14) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-25220)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the Message Center message listing functionality when handling a request with the show_all=yes URL parameter. A remote user can send a crafted request to disclose sensitive information.
The issue exposes internal messages belonging to other users, including patient-related notes and staff communications.
15) Missing Authorization (CVE-ID: CVE-2026-25164)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information and modify patient insurance data.
The vulnerability exists due to improper access control in document and insurance REST endpoints in apis/routes/_rest_routes_standard.inc.php when handling API requests with a valid bearer token. A remote user can send crafted requests for arbitrary patient identifiers to disclose sensitive information and modify patient insurance data.
The affected routes omit authorization checks that are used by other patient routes, allowing access across patient records regardless of the token's assigned ACLs.
16) Insufficient Session Expiration (CVE-ID: CVE-2026-25476)
CWE-ID: CWE-613 - Insufficient Session Expiration
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to insufficient session expiration in library/auth.inc.php when handling requests that include the skip_timeout_reset parameter. A remote attacker can send a request with skip_timeout_reset=1 using a stolen session cookie to disclose sensitive information.
Exploitation requires a valid session cookie and affects deployments with session timeout enabled.
17) Information disclosure (CVE-ID: CVE-2026-24487)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the FHIR CareTeam resource endpoint when handling requests with patient-scoped FHIR tokens. A remote user can send a request to the CareTeam endpoint without a patient parameter to disclose sensitive information.
Exploitation requires the FHIR API to be enabled and a valid patient-scoped FHIR OAuth2 token.
18) Improper Authorization (CVE-ID: CVE-2026-24890)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to overwrite provider signatures and forge signatures on medical documents.
The vulnerability exists due to improper authorization in portal/sign/lib/save-signature.php when handling patient portal signature requests with type=admin-signature and a user-supplied provider user ID. A remote user can send a specially crafted POST request to overwrite provider signatures and forge signatures on medical documents.
The issue affects the backend endpoint even if the user interface restricts access to the admin signature functionality.
19) SQL injection (CVE-ID: CVE-2026-24908)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary SQL queries.
The vulnerability exists due to SQL injection in the Patient REST API endpoint _sort parameter handling when processing user-supplied _sort query parameters. A remote user can send a specially crafted API request to execute arbitrary SQL queries.
Exploitation requires valid API access with an OAuth2 bearer token, and the REST API must be enabled.
20) SQL injection (CVE-ID: CVE-2026-23627)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary SQL queries.
The vulnerability exists due to sql injection in the ImmunizationController class when processing user-supplied patient_id values in the indexAction and reportAction methods. A remote user can send a specially crafted patient_id parameter to execute arbitrary SQL queries.
Exploitation requires an authenticated session and access to the Immunization module.
21) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-27943)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to authorization bypass through a user-controlled key in interface/forms/eye_mag/view.php when handling a user-supplied form_id parameter. A remote user can supply another patient's form ID to disclose sensitive information.
The issue affects the eye exam view path and may switch the active patient in the session in some flows.
22) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-25147)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to authorization bypass through a user-controlled key in portal/portal_payment.php when handling requests that include a user-supplied patient id. A remote user can send a specially crafted request with another patient's pid to disclose sensitive information.
Only deployments with the patient portal enabled are vulnerable.
23) Path traversal (CVE-ID: CVE-2026-24488)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to path traversal in the EtherFaxActions sendFax endpoint when handling user-supplied file paths. A remote user can send a specially crafted request with an arbitrary file path to disclose sensitive information.
Only instances with the Fax/SMS module enabled are vulnerable.
24) Improper Authentication (CVE-ID: CVE-2026-24898)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to disclose sensitive information and perform unauthorized actions on the MedEx platform.
The vulnerability exists due to improper authentication in the MedEx callback endpoint when handling a POST request containing a callback_key parameter. A remote attacker can send a specially crafted request to disclose sensitive information and perform unauthorized actions on the MedEx platform.
Only installations with the MedEx service enabled are vulnerable.
25) Information disclosure (CVE-ID: CVE-2026-25146)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information and perform unauthorized payment gateway actions.
The vulnerability exists due to exposure of sensitive information in client-side JavaScript code in the payment pages when rendering payment-related pages. A remote user can view the rendered gateway_api_key in browser-accessible source code to disclose sensitive information and perform unauthorized payment gateway actions.
The secret is exposed through at least two code paths, including the patient portal and the admin-side payment flow, and the value is leaked for any configured gateway if gateway_api_key is set.
26) Direct Request ('Forced Browsing') (CVE-ID: CVE-2026-34056)
CWE-ID: CWE-425 - Direct Request ('Forced Browsing')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper authorization in erx_logview.php when handling requests for Ensora eRx error logs. A remote user can send a crafted request to disclose sensitive information.
The issue allows low-privilege users to view and download admin-only Ensora eRx error logs without proper authorization checks.
Remediation
Install update from vendor's website.
References
- https://github.com/openemr/openemr/security/advisories/GHSA-mf62-q2xc-hxm3
- https://github.com/openemr/openemr/security/advisories/GHSA-6f42-6q2r-fc2h
- https://github.com/openemr/openemr/security/advisories/GHSA-3f9j-cqjj-7h46
- https://github.com/openemr/openemr/security/advisories/GHSA-fgxg-wg4w-rj23
- https://github.com/openemr/openemr/security/advisories/GHSA-69cv-rv28-4g85
- https://github.com/openemr/openemr/security/advisories/GHSA-q7p5-rrwj-qmp2
- https://github.com/openemr/openemr/security/advisories/GHSA-6h2m-4ppf-ph4j
- https://github.com/openemr/openemr/security/advisories/GHSA-rccq-vjfg-ggjh
- https://github.com/openemr/openemr/security/advisories/GHSA-3xx2-qf6g-6p28
- https://github.com/advisories/GHSA-3xx2-qf6g-6p28
- https://github.com/openemr/openemr/security/advisories/GHSA-78r7-g65p-gpw3
- https://github.com/openemr/openemr/security/advisories/GHSA-qj9f-x7v2-hrr7
- https://github.com/openemr/openemr/security/advisories/GHSA-778w-r8rm-8qhq
- https://github.com/openemr/openemr/security/advisories/GHSA-h3xx-8cp7-hf7m
- https://github.com/openemr/openemr/security/advisories/GHSA-phcp-7qjx-83cm
- https://github.com/openemr/openemr/security/advisories/GHSA-f64c-h2gh-g3f9
- https://github.com/openemr/openemr/security/advisories/GHSA-gx7q-6fhr-5h33
- https://github.com/openemr/openemr/security/advisories/GHSA-4frq-f657-hwrc
- https://github.com/openemr/openemr/security/advisories/GHSA-xc8x-mfh8-9xvh
- https://github.com/openemr/openemr/security/advisories/GHSA-rcc2-45v3-qmqm
- https://github.com/openemr/openemr/security/advisories/GHSA-x3hw-rwrg-v25h
- https://github.com/openemr/openemr/security/advisories/GHSA-q96x-qw99-6xq9
- https://github.com/openemr/openemr/security/advisories/GHSA-mwmw-qxv3-8whh
- https://github.com/openemr/openemr/security/advisories/GHSA-765x-8v97-c7g8
- https://github.com/openemr/openemr/security/advisories/GHSA-qwff-3mw7-7rc7
- https://github.com/openemr/openemr/security/advisories/GHSA-2hq8-wc73-jvvq
- https://github.com/openemr/openemr/security/advisories/GHSA-6qg7-6jf3-xrfh
- https://demo.openemr.io/openemr/interface/logview/erx_logview.php