CVE-2026-24487
Received Received - Intake
Authorization Bypass in OpenEMR FHIR CareTeam Exposes PHI

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the FHIR CareTeam resource endpoint allows patient-scoped FHIR tokens to access care team data for all patients instead of being restricted to only the authenticated patient's data. This could potentially lead to unauthorized disclosure of Protected Health Information (PHI), including patient-provider relationships and care team structures across the entire system. The issue occurs because the `FhirCareTeamService` does not implement the `IPatientCompartmentResourceService` interface and does not pass the patient binding parameter to the underlying service, bypassing the patient compartment filtering mechanism. Version 8.0.0 contains a patch for this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24487
EUVD
EUVD-2026-8701
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to upgrade OpenEMR to version 8.0.0 or later, where this vulnerability has been patched.

If upgrading is not immediately possible, restrict access to the FHIR CareTeam resource endpoint to trusted users only and monitor for unauthorized access attempts.

Additionally, review and limit OAuth2 token scopes to minimize exposure and consider disabling the FHIR API temporarily if sensitive data exposure risk is high.

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-24487 is an authorization bypass vulnerability in the OpenEMR electronic health records system, specifically in the FHIR CareTeam resource endpoint. Before version 8.0.0, patient-scoped FHIR tokens, which should only allow access to the authenticated patient's data, could instead access care team data for all patients in the system. This happens because the FhirCareTeamService class does not implement the required IPatientCompartmentResourceService interface and fails to pass the patient binding parameter to the underlying service, bypassing patient compartment filtering."}, {'type': 'paragraph', 'content': 'As a result, unauthorized users with patient-scoped tokens could retrieve Protected Health Information (PHI) such as patient-provider relationships and care team structures for all patients, not just their own.'}] [2]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive Protected Health Information (PHI) across the entire OpenEMR system. An attacker with a patient-scoped FHIR OAuth2 token could access care team data for all patients, exposing confidential patient-provider relationships and care team structures.

Such exposure can compromise patient privacy, potentially leading to privacy violations, loss of trust, and legal consequences for healthcare providers and organizations using OpenEMR with FHIR API enabled.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the FHIR CareTeam resource endpoint with a patient-scoped FHIR OAuth2 token to see if it returns care team data for multiple patients instead of restricting to the authenticated patient only.'}, {'type': 'paragraph', 'content': 'A proof of concept involves obtaining a patient-scoped FHIR OAuth2 token and sending a GET request to the CareTeam FHIR endpoint without specifying a patient parameter. If the response contains care team data for multiple patients, the vulnerability is present.'}, {'type': 'list_item', 'content': 'Obtain a patient-scoped FHIR OAuth2 token via standard OAuth2 authentication.'}, {'type': 'list_item', 'content': 'Use a command like: curl -H "Authorization: Bearer <patient-scoped-token>" https://<openemr-server>/fhir/CareTeam'}, {'type': 'list_item', 'content': 'Check if the response includes care team data for patients other than the authenticated patient.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24487. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart