CVE-2026-25744 in OpenEMR
Summary
by MITRE • 03/19/2026
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the encounter vitals API accepts an `id` in the request body and treats it as an UPDATE. There is no verification that the vital belongs to the current patient or encounter. An authenticated user with encounters/notes permission can overwrite any patient's vitals by supplying another patient's vital `id`, leading to medical record tampering. Version 8.0.0.2 fixes the issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability described in CVE-2026-25744 represents a critical access control flaw within the OpenEMR medical records system that undermines the integrity of patient data. This issue affects versions prior to 8.0.0.2 and stems from insufficient validation mechanisms in the encounter vitals API endpoint. The flaw allows authenticated users with minimal permissions to manipulate medical records through a simple parameter manipulation technique that bypasses normal security boundaries. The vulnerability specifically targets the API's handling of the 'id' parameter in request bodies, where the system treats any provided identifier as a legitimate update instruction without proper authorization checks.
The technical implementation of this vulnerability demonstrates a classic authorization bypass pattern that falls under CWE-285, which addresses improper authorization in software systems. When an authenticated user submits a request containing a vital record ID from another patient, the API processes this as an update operation without verifying whether the requesting user has legitimate access to modify that specific patient's data. This represents a fundamental failure in the principle of least privilege and data isolation within the medical records management system. The flaw operates through the API's lack of proper patient context validation during update operations, allowing attackers to leverage their existing permissions to perform unauthorized data modifications across different patient records.
From an operational perspective, this vulnerability creates significant risks for healthcare organizations using affected versions of OpenEMR, as it enables unauthorized medical record tampering that could compromise patient safety and regulatory compliance. The impact extends beyond simple data modification to potentially affect clinical decision-making processes, as incorrect vital signs could lead to inappropriate medical interventions. Healthcare providers may face serious consequences including regulatory penalties under HIPAA and other privacy regulations, as well as potential liability issues arising from tampered medical records. The vulnerability affects the core integrity of the electronic health record system, undermining trust in the accuracy of patient data and potentially compromising patient care quality.
The mitigation strategy for this vulnerability involves upgrading to OpenEMR version 8.0.0.2 or later, which implements proper authorization checks for vital record updates. Organizations should also conduct comprehensive audits of their medical record systems to identify any potential unauthorized modifications that may have occurred during the vulnerability window. Security teams should implement additional monitoring controls around API endpoints that handle patient data modifications, particularly those that accept ID parameters for update operations. The fix demonstrates proper defensive programming practices that align with ATT&CK technique T1566, which addresses credential access and privilege escalation through API manipulation. Organizations should also review their access control policies and ensure that users have appropriate permissions only for the patient records they are authorized to access, implementing proper data segmentation and isolation mechanisms to prevent similar cross-contamination issues in other system components.