8.1

CVE-2026-25164

Exploit

EPSS 0.1%
Veröffentlicht 25.02.2026 18:22:40
Zuletzt bearbeitet 27.02.2026 14:41:30
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in `apis/routes/_rest_routes_standard.inc.php` does not call `RestConfig::request_authorization_check()` for the document and insurance routes. Other patient routes in the same file (e.g. encounters, patients/med) call it with the appropriate ACL. As a result, any valid API bearer token can access or modify every patient's documents and insurance data, regardless of the token’s OpenEMR ACLs—effectively exposing all document and insurance PHI to any authenticated API client. Version 8.0.0 patches the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Open-emr ≫ Openemr Version < 8.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.276

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/openemr/openemr/security/advisories/GHSA-f64c-h2gh-g3f9

Vendor Advisory

Exploit

https://github.com/openemr/openemr/commit/c5e1c44774156cd0d04f4e08ed6a81fe76d38e92

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-25164

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-25164

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-25164

EUVD