Main Vulnerability Database Vulnerabilities #VU127247

Improper access control in OpenEMR - CVE-2025-67645

Published: April 23, 2026

Vulnerability identifier: #VU127247

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-67645

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote user to modify another user's profile data.

The vulnerability exists due to improper access control in the profile edit endpoint when handling profile update requests. A remote user can modify the pid and pubpid parameters to modify another user's profile data.

If an administrator commits the unauthorized profile changes to the chart, this could enable account takeover.

How to mitigate CVE-2025-67645

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-vjmv-cf46-gffv

Improper access control in OpenEMR - CVE-2025-67645

Detailed vulnerability description

How to mitigate CVE-2025-67645

Sources

Please verify you're human