CVE-2026-25127
Received Received - Intake
Improper Permission Validation in OpenEMR Allows Unauthorized Data Access

Publication date: 2026-02-25

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the server does not properly validate user permission. Unauthorized users can view the information of authorized users. Version 8.0.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25127
EUVD
EUVD-2026-8582
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25127 is a high-severity Broken Access Control vulnerability in OpenEMR versions prior to 8.0.0, specifically affecting the Care Coordination module.

The server does not properly validate user permissions, which allows unauthorized users to access sensitive information intended only for authorized roles.

An attacker with a low-privilege account can exploit this by manipulating session cookies to bypass access control restrictions and view data they should not have access to.

Impact Analysis

This vulnerability can severely impact the confidentiality of sensitive data within OpenEMR systems.

  • Unauthorized users can view sensitive patient coordination data without proper permissions.
  • Attackers only need low-privilege credentials and no user interaction to exploit this remotely.

Integrity and availability of the system are not affected by this vulnerability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to access the Care Coordination module data using a low-privilege user account that should not have access. Specifically, one can capture HTTP requests made by an Administrator user to the Care Coordination module and then replay those requests using the session cookie of a low-privilege user (such as an Accounting role user). If the server improperly allows access to the data despite the lower privileges, the vulnerability is present.

Commands or steps to detect this include:

  • Log in as an Administrator and capture HTTP requests to the Care Coordination module URL (e.g., using tools like curl, Burp Suite, or browser developer tools).
  • Log in as a low-privilege user (e.g., accountant) and obtain their session cookie.
  • Modify the captured Administrator HTTP request by replacing the Administrator session cookie with the low-privilege user’s session cookie.
  • Send the modified request to the server and observe if the low-privilege user can access the Care Coordination data.
Mitigation Strategies

The immediate mitigation step is to upgrade OpenEMR to version 8.0.0 or later, where this broken access control issue has been fixed.

Until the upgrade can be performed, consider restricting access to the Care Coordination module by network controls or disabling the module for low-privilege users to prevent unauthorized access.

Additionally, monitor and audit user access logs for any suspicious activity involving the Care Coordination module.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25127. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart