CVE-2026-25127
Improper Permission Validation in OpenEMR Allows Unauthorized Data Access
Publication date: 2026-02-25
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25127 is a high-severity Broken Access Control vulnerability in OpenEMR versions prior to 8.0.0, specifically affecting the Care Coordination module.
The server does not properly validate user permissions, which allows unauthorized users to access sensitive information intended only for authorized roles.
An attacker with a low-privilege account can exploit this by manipulating session cookies to bypass access control restrictions and view data they should not have access to.
How can this vulnerability impact me? :
This vulnerability can severely impact the confidentiality of sensitive data within OpenEMR systems.
- Unauthorized users can view sensitive patient coordination data without proper permissions.
- Attackers only need low-privilege credentials and no user interaction to exploit this remotely.
Integrity and availability of the system are not affected by this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the Care Coordination module data using a low-privilege user account that should not have access. Specifically, one can capture HTTP requests made by an Administrator user to the Care Coordination module and then replay those requests using the session cookie of a low-privilege user (such as an Accounting role user). If the server improperly allows access to the data despite the lower privileges, the vulnerability is present.
Commands or steps to detect this include:
- Log in as an Administrator and capture HTTP requests to the Care Coordination module URL (e.g., using tools like curl, Burp Suite, or browser developer tools).
- Log in as a low-privilege user (e.g., accountant) and obtain their session cookie.
- Modify the captured Administrator HTTP request by replacing the Administrator session cookie with the low-privilege userβs session cookie.
- Send the modified request to the server and observe if the low-privilege user can access the Care Coordination data.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenEMR to version 8.0.0 or later, where this broken access control issue has been fixed.
Until the upgrade can be performed, consider restricting access to the Care Coordination module by network controls or disabling the module for low-privilege users to prevent unauthorized access.
Additionally, monitor and audit user access logs for any suspicious activity involving the Care Coordination module.