Main Vulnerability Database Vulnerabilities #VU127281

Missing Authorization in OpenEMR - CVE-2026-25164

Published: April 23, 2026

Vulnerability identifier: #VU127281

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-25164

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and modify patient insurance data.

The vulnerability exists due to improper access control in document and insurance REST endpoints in apis/routes/_rest_routes_standard.inc.php when handling API requests with a valid bearer token. A remote user can send crafted requests for arbitrary patient identifiers to disclose sensitive information and modify patient insurance data.

The affected routes omit authorization checks that are used by other patient routes, allowing access across patient records regardless of the token's assigned ACLs.

How to mitigate CVE-2026-25164

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-f64c-h2gh-g3f9

Missing Authorization in OpenEMR - CVE-2026-25164

Detailed vulnerability description

How to mitigate CVE-2026-25164

Sources

Please verify you're human