CVE-2026-23627
SQL Injection in OpenEMR Immunization Module Enables Database Compromise
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23627 is a critical SQL injection vulnerability found in the Immunization module of OpenEMR versions prior to 8.0.0. It occurs because the application directly concatenates user-supplied patient_id values into SQL WHERE clauses without any escaping, quoting, or parameterization. This unsafe practice allows any authenticated user with access to the Immunization module to inject arbitrary SQL commands.
Specifically, the vulnerability exists in the ImmunizationController class in the indexAction and reportAction methods. Attackers can manipulate the patient_id parameter to bypass filters, extract sensitive data, enumerate database schema, dump protected health information (PHI), and even perform time-based blind SQL injection. If the database user has FILE privileges, remote code execution is also possible by writing malicious files such as web shells to the server.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including complete database compromise and exposure of sensitive data. An attacker exploiting this flaw can exfiltrate protected health information (PHI) such as patient names, dates of birth, and patient IDs.'}, {'type': 'paragraph', 'content': 'Additionally, attackers can steal credentials by extracting usernames and password hashes, potentially leading to further unauthorized access. The vulnerability also opens the door to remote code execution if the database user has sufficient privileges, allowing attackers to execute arbitrary code on the server.'}, {'type': 'paragraph', 'content': "Overall, this compromises the confidentiality and integrity of patient data and the healthcare organization's systems."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability exposes protected health information (PHI) to unauthorized access and exfiltration, which directly violates regulations such as HIPAA that mandate the confidentiality and security of patient data.
Healthcare organizations using vulnerable versions of OpenEMR risk non-compliance with HIPAA requirements, potentially leading to legal penalties, reputational damage, and data breach notifications.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by testing the Immunization module of OpenEMR for unsafe handling of the patient_id parameter. Since exploitation requires an authenticated session, detection involves sending crafted patient_id values to observe if arbitrary SQL commands can be executed.'}, {'type': 'list_item', 'content': "Use payloads like `patient_id=123') OR 1=1 --` to check if the SQL WHERE clause can be manipulated to always evaluate true."}, {'type': 'list_item', 'content': 'Attempt UNION SELECT injections to extract database information, such as usernames and password hashes.'}, {'type': 'list_item', 'content': 'Enumerate database schema by querying `information_schema.tables` through injection.'}, {'type': 'list_item', 'content': 'Confirm injection via time-based blind SQL injection using commands like `AND (SELECT SLEEP(5))` and observe response delays.'}, {'type': 'paragraph', 'content': 'These tests require authenticated access to the Immunization module and can be performed using tools like sqlmap or manual HTTP requests with crafted parameters.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade OpenEMR to version 8.0.0 or later, where the vulnerability is patched.
If upgrading is not immediately possible, restrict access to the Immunization module to only trusted authenticated users and monitor for suspicious activity.
Implement network-level controls such as web application firewalls (WAFs) to detect and block SQL injection payloads targeting the patient_id parameter.
Review and apply input validation and sanitization on user-supplied parameters, ensuring that patient_id values only contain allowed characters (alphanumeric, spaces, hyphens) and avoid direct concatenation into SQL queries.