SB20260423168 - Multiple vulnerabilities in OpenEMR
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 vulnerabilities.
1) SQL injection (CVE-ID: CVE-2026-32127)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary SQL commands and disclose sensitive information.
The vulnerability exists due to SQL injection in the ajax graphs library when handling crafted POST requests to library/ajax/graphs.php. A remote user can send a specially crafted name parameter to execute arbitrary SQL commands and disclose sensitive information.
The issue occurs because user-supplied input in the name parameter is concatenated into SQL queries.
2) Missing Authorization (CVE-ID: CVE-2026-32126)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify or delete clinical rules and plans.
The vulnerability exists due to improper access control in ControllerRouter::route() in the Clinical Decision Rules router when handling direct requests to CDR controllers. A remote user can send crafted requests to admin-only CDR actions to modify or delete clinical rules and plans.
The issue affects controllers that do not perform their own ACL or CSRF checks, and direct URL access is not blocked for authenticated non-admin users.
3) Cross-site scripting (CVE-ID: CVE-2026-32125)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in a victim's browser.
The vulnerability exists due to improper neutralization of input during web page generation in Track Anything graph titles and labels when rendering stored track or item names in Dygraph charts. A remote user can create or modify a track or item name containing malicious script to execute arbitrary script in a victim's browser.
User interaction is required because a user must view the corresponding graph.
4) Cross-site scripting (CVE-ID: CVE-2026-32124)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in a victim's browser.
The vulnerability exists due to improper neutralization of input during web page generation in the dynamic code picker code description rendering path when displaying stored code descriptions returned by the AJAX endpoint. A remote user can create or edit a code entry with a malicious description to execute arbitrary script in a victim's browser.
User interaction is required when a victim opens a form or screen that uses the dynamic code picker.
5) Improper access control (CVE-ID: CVE-2026-32123)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the encounter sensitivity logic in EncounterService.php when handling group encounters. A remote user can access a sensitive group encounter or its forms to disclose sensitive information.
Only group encounters that use sensitivity flags are affected, because sensitivity is stored in form_groups_encounter but the check consults only form_encounter.
6) Missing Authorization (CVE-ID: CVE-2026-32122)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the Claim File Tracker AJAX endpoint when handling requests for claim tracking data. A remote user can send a request to the endpoint to disclose sensitive information.
The issue affects the AJAX handler in library/ajax/billing_tracker_ajax.php, which does not enforce the same billing and claims ACL checks as the main UI.
7) Cross-site scripting (CVE-ID: CVE-2026-32121)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in a staff member's browser session.
The vulnerability exists due to improper neutralization of input during web page generation in the portal signer modal in portal/sign/assets/signer_api.js when rendering attacker-controlled patient names via jQuery .html(). A remote user can register a patient account with a crafted name and trigger rendering of that name in the signer modal to execute arbitrary JavaScript in a staff member's browser session.
Exploitation requires patient self-registration to be enabled and a staff member to open the signature modal for the attacker's patient record.
8) Cross-site scripting (CVE-ID: CVE-2026-46518)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in a clinician's browser session.
The vulnerability exists due to cross-site scripting in the prescription CSS/HTML multi-print feature when rendering patient demographic fields from patient records. A remote user can submit crafted HTML or script through the patient update API to execute arbitrary JavaScript in a clinician's browser session.
Exploitation requires the patient portal to be enabled, a direct call to the api/patient/:num endpoint to bypass the normal audit workflow, an existing prescription for the patient, and a clinician to use the CSS/HTML multi-print option.
9) Cross-site scripting (CVE-ID: CVE-2026-32118)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of a user viewing a crafted encounter form.
The vulnerability exists due to cross-site scripting in the Graphical Pain Map legend rendering in library/js/clickmap.js when processing stored annotation text. A remote user can save a crafted annotation in a Graphical Pain Map form to execute arbitrary JavaScript in the browser of a user viewing a crafted encounter form.
User interaction is required when another user opens the affected encounter form or encounter report.
10) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-25745)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify any patient's messages or notes.
The vulnerability exists due to improper access control in the message/patient note update handler when handling update requests for message or note IDs. A remote user can send a crafted update request with another patient's message or note ID to modify any patient's messages or notes.
The issue affects the REST or AJAX update path and does not require user interaction.
11) Direct Request ('Forced Browsing') (CVE-ID: CVE-2026-34051)
CWE-ID: CWE-425 - Direct Request ('Forced Browsing')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information and modify system data.
The vulnerability exists due to improper authorization in the import/export functionality when handling direct requests to restricted import and export actions. A remote user can send a direct request to perform unauthorized import or export operations to disclose sensitive information and modify system data.
UI restrictions alone do not prevent access to the functionality.
Remediation
Install update from vendor's website.
References
- https://github.com/openemr/openemr/security/advisories/GHSA-v8q6-h79f-736x
- https://github.com/openemr/openemr/security/advisories/GHSA-752v-x6m4-6cf8
- https://github.com/openemr/openemr/security/advisories/GHSA-244w-vxhp-7x99
- https://github.com/openemr/openemr/security/advisories/GHSA-9hw7-22mr-qhfc
- https://github.com/openemr/openemr/security/advisories/GHSA-j4mm-wg7q-v57q
- https://github.com/openemr/openemr/security/advisories/GHSA-rwf9-px3c-3prw
- https://github.com/openemr/openemr/security/advisories/GHSA-68fr-xm3v-p4vw
- https://github.com/openemr/openemr/security/advisories/GHSA-4gh4-q39r-45wf
- https://github.com/openemr/openemr/security/advisories/GHSA-55qj-x8wh-m4rm
- https://github.com/openemr/openemr/security/advisories/GHSA-jm78-x5p7-52qh
- https://github.com/openemr/openemr/security/advisories/GHSA-54m8-wpg9-9665