CVE-2026-24487
Authorization Bypass in OpenEMR FHIR CareTeam Exposes PHI
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenEMR to version 8.0.0 or later, where this vulnerability has been patched.
If upgrading is not immediately possible, restrict access to the FHIR CareTeam resource endpoint to trusted users only and monitor for unauthorized access attempts.
Additionally, review and limit OAuth2 token scopes to minimize exposure and consider disabling the FHIR API temporarily if sensitive data exposure risk is high.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-24487 is an authorization bypass vulnerability in the OpenEMR electronic health records system, specifically in the FHIR CareTeam resource endpoint. Before version 8.0.0, patient-scoped FHIR tokens, which should only allow access to the authenticated patient's data, could instead access care team data for all patients in the system. This happens because the FhirCareTeamService class does not implement the required IPatientCompartmentResourceService interface and fails to pass the patient binding parameter to the underlying service, bypassing patient compartment filtering."}, {'type': 'paragraph', 'content': 'As a result, unauthorized users with patient-scoped tokens could retrieve Protected Health Information (PHI) such as patient-provider relationships and care team structures for all patients, not just their own.'}] [2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive Protected Health Information (PHI) across the entire OpenEMR system. An attacker with a patient-scoped FHIR OAuth2 token could access care team data for all patients, exposing confidential patient-provider relationships and care team structures.
Such exposure can compromise patient privacy, potentially leading to privacy violations, loss of trust, and legal consequences for healthcare providers and organizations using OpenEMR with FHIR API enabled.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the FHIR CareTeam resource endpoint with a patient-scoped FHIR OAuth2 token to see if it returns care team data for multiple patients instead of restricting to the authenticated patient only.'}, {'type': 'paragraph', 'content': 'A proof of concept involves obtaining a patient-scoped FHIR OAuth2 token and sending a GET request to the CareTeam FHIR endpoint without specifying a patient parameter. If the response contains care team data for multiple patients, the vulnerability is present.'}, {'type': 'list_item', 'content': 'Obtain a patient-scoped FHIR OAuth2 token via standard OAuth2 authentication.'}, {'type': 'list_item', 'content': 'Use a command like: curl -H "Authorization: Bearer <patient-scoped-token>" https://<openemr-server>/fhir/CareTeam'}, {'type': 'list_item', 'content': 'Check if the response includes care team data for patients other than the authenticated patient.'}] [2]