Executive Summary

CVE-2026-24890 is an authorization bypass vulnerability in OpenEMR versions prior to 8.0.0 that affects the patient portal signature saving endpoint.

Authenticated patient portal users can exploit this flaw by sending a specially crafted request with the parameter type=admin-signature and specifying any provider user ID. This allows them to upload and overwrite provider signatures without proper authorization.

The vulnerability arises because the system forcibly sets the patient ID to 0 when type=admin-signature is used, bypassing patient-specific authorization checks, and it accepts the provider user ID directly from user input without validation.

This enables portal users to impersonate providers by forging their signatures on medical documents.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthorized users to modify and forge provider signatures on medical documents.

Such forgery can lead to legal compliance violations and fraud.

Healthcare providers, patients, and organizations using OpenEMR are at risk because forged signatures can undermine the trustworthiness and authenticity of medical records.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability can lead to violations of legal and compliance requirements because it allows unauthorized modification and forgery of provider signatures on medical documents.

Such unauthorized changes to medical records can compromise data integrity and authenticity, which are critical for compliance with standards like HIPAA that mandate the protection and accuracy of health information.

This could result in regulatory penalties and loss of trust from patients and regulatory bodies.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the patient portal signature saving endpoint, specifically to the URL path `portal/sign/lib/save-signature.php`.'}, {'type': 'paragraph', 'content': 'Look for POST requests containing the parameter `type=admin-signature` along with a `user` parameter specifying a provider user ID. Such requests indicate attempts to bypass authorization and overwrite provider signatures.'}, {'type': 'paragraph', 'content': 'Commands to detect such activity could include using network traffic inspection tools or web server logs to filter for these POST requests. For example, using `grep` on web server logs:'}, {'type': 'list_item', 'content': "grep 'POST /portal/sign/lib/save-signature.php' /var/log/apache2/access.log | grep 'type=admin-signature'"}, {'type': 'paragraph', 'content': 'Alternatively, using tools like Wireshark or tcpdump to capture HTTP POST traffic and filter for the `type=admin-signature` parameter in the request body can help identify exploitation attempts.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade OpenEMR to version 8.0.0 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "The fix involves blocking portal users from using the `admin-signature` type and enforcing that the user ID parameter is overridden with the session's patient ID, preventing unauthorized signature overwrites."}, {'type': 'paragraph', 'content': 'Until the upgrade can be applied, consider restricting access to the vulnerable endpoint or monitoring and blocking suspicious POST requests containing `type=admin-signature`.'}] [1, 2]

Useful 0 Not Useful 0