CVE-2026-23627
Received Received - Intake
SQL Injection in OpenEMR Immunization Module Enables Database Compromise

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Immunization module allows any authenticated user to execute arbitrary SQL queries, leading to complete database compromise, PHI exfiltration, credential theft, and potential remote code execution. The vulnerability exists because user-supplied `patient_id` values are directly concatenated into SQL WHERE clauses without parameterization or escaping. Version 8.0.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23627
EUVD
EUVD-2026-8700
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23627 is a critical SQL injection vulnerability found in the Immunization module of OpenEMR versions prior to 8.0.0. It occurs because the application directly concatenates user-supplied patient_id values into SQL WHERE clauses without any escaping, quoting, or parameterization. This unsafe practice allows any authenticated user with access to the Immunization module to inject arbitrary SQL commands.

Specifically, the vulnerability exists in the ImmunizationController class in the indexAction and reportAction methods. Attackers can manipulate the patient_id parameter to bypass filters, extract sensitive data, enumerate database schema, dump protected health information (PHI), and even perform time-based blind SQL injection. If the database user has FILE privileges, remote code execution is also possible by writing malicious files such as web shells to the server.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including complete database compromise and exposure of sensitive data. An attacker exploiting this flaw can exfiltrate protected health information (PHI) such as patient names, dates of birth, and patient IDs.'}, {'type': 'paragraph', 'content': 'Additionally, attackers can steal credentials by extracting usernames and password hashes, potentially leading to further unauthorized access. The vulnerability also opens the door to remote code execution if the database user has sufficient privileges, allowing attackers to execute arbitrary code on the server.'}, {'type': 'paragraph', 'content': "Overall, this compromises the confidentiality and integrity of patient data and the healthcare organization's systems."}] [1]

Compliance Impact

The vulnerability exposes protected health information (PHI) to unauthorized access and exfiltration, which directly violates regulations such as HIPAA that mandate the confidentiality and security of patient data.

Healthcare organizations using vulnerable versions of OpenEMR risk non-compliance with HIPAA requirements, potentially leading to legal penalties, reputational damage, and data breach notifications.

Detection Guidance

[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by testing the Immunization module of OpenEMR for unsafe handling of the patient_id parameter. Since exploitation requires an authenticated session, detection involves sending crafted patient_id values to observe if arbitrary SQL commands can be executed.'}, {'type': 'list_item', 'content': "Use payloads like `patient_id=123') OR 1=1 --` to check if the SQL WHERE clause can be manipulated to always evaluate true."}, {'type': 'list_item', 'content': 'Attempt UNION SELECT injections to extract database information, such as usernames and password hashes.'}, {'type': 'list_item', 'content': 'Enumerate database schema by querying `information_schema.tables` through injection.'}, {'type': 'list_item', 'content': 'Confirm injection via time-based blind SQL injection using commands like `AND (SELECT SLEEP(5))` and observe response delays.'}, {'type': 'paragraph', 'content': 'These tests require authenticated access to the Immunization module and can be performed using tools like sqlmap or manual HTTP requests with crafted parameters.'}] [1]

Mitigation Strategies

The immediate and most effective mitigation is to upgrade OpenEMR to version 8.0.0 or later, where the vulnerability is patched.

If upgrading is not immediately possible, restrict access to the Immunization module to only trusted authenticated users and monitor for suspicious activity.

Implement network-level controls such as web application firewalls (WAFs) to detect and block SQL injection payloads targeting the patient_id parameter.

Review and apply input validation and sanitization on user-supplied parameters, ensuring that patient_id values only contain allowed characters (alphanumeric, spaces, hyphens) and avoid direct concatenation into SQL queries.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23627. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart