Main Vulnerability Database Vulnerabilities #VU127252

Improper Certificate Validation in OpenEMR - CVE-2025-67752

Published: April 23, 2026

Vulnerability identifier: #VU127252

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-67752

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote attacker to intercept, read, and modify encrypted communications.

The vulnerability exists due to improper certificate validation in the oeHttp and oeOAuth HTTP client wrappers when making external HTTPS requests. A remote attacker can perform a man-in-the-middle attack with a fake certificate to intercept, read, and modify encrypted communications.

The issue affects external service integrations including government healthcare APIs and OAuth flows, potentially exposing protected health information and tokens.

How to mitigate CVE-2025-67752

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-2g6h-725p-pqhp

Improper Certificate Validation in OpenEMR - CVE-2025-67752

Detailed vulnerability description

How to mitigate CVE-2025-67752

Sources

Please verify you're human