Main Vulnerability Database Vulnerabilities #VU127265

Improper access control in OpenEMR - CVE-2026-25131

Published: April 23, 2026

Vulnerability identifier: #VU127265

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-25131

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote user to view, add, modify, and delete procedure types.

The vulnerability exists due to improper access control in the /openemr/interface/orders/types_edit.php endpoint when handling requests to manage procedures configuration. A remote user can send crafted requests to view, create, update, or delete procedure type entries to view, add, modify, and delete procedure types.

The issue affects the order types management system, and no user interaction is required.

How to mitigate CVE-2026-25131

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-6h2m-4ppf-ph4j

Improper access control in OpenEMR - CVE-2026-25131

Detailed vulnerability description

How to mitigate CVE-2026-25131

Sources

Please verify you're human