Main Vulnerability Database Vulnerabilities #VU127260

Improper access control in OpenEMR - CVE-2026-25135

Published: April 23, 2026

Vulnerability identifier: #VU127260

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-25135

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the Location resource for the Group.$export operation when handling export requests with system/(Group,Patient,*).$export and system/Location.read capabilities. A remote privileged user can use a confidential client configured with those permissions to disclose sensitive information.

User interaction is required, and exploitation occurs only when an administrator has enabled and granted permission to the confidential client with secure key exchange.

How to mitigate CVE-2026-25135

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-fgxg-wg4w-rj23

Improper access control in OpenEMR - CVE-2026-25135

Detailed vulnerability description

How to mitigate CVE-2026-25135

Sources

Please verify you're human