Executive Summary

CVE-2026-25131 is a Broken Access Control vulnerability in OpenEMR versions prior to 8.0.0, specifically in the order types management system accessible via the endpoint /openemr/interface/orders/types_edit.php.

This vulnerability allows low-privilege authenticated users, such as Receptionists, to add, modify, and delete procedure types without proper authorization because the affected code lacks proper access control checks and CSRF protection.

The issue arises because the endpoint processes form submissions and database updates without verifying user permissions, allowing unauthorized users to bypass intended access controls.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have significant impacts including unauthorized viewing, addition, modification, and deletion of procedure types within the OpenEMR system.

• Disruption of the integrity of the ordering system.
• Creation of malicious or incorrect procedure types that could negatively affect patient care.
• Bypassing of intended access controls, allowing low-privilege users to perform administrative actions.
• Potential compromise of confidentiality, integrity, and availability of the system, as indicated by the high CVSS score of 8.8.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if unauthorized users can access or modify procedure types via the vulnerable endpoints. Specifically, attempts to access or manipulate the /openemr/interface/orders/types_edit.php and /openemr/interface/orders/types_ajax.php endpoints without proper authorization indicate the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts or presence of the vulnerability include sending HTTP requests to these endpoints as a low-privilege user and observing if unauthorized actions are permitted.'}, {'type': 'list_item', 'content': 'Send a GET request to /openemr/interface/orders/types_ajax.php to see if procedure types can be viewed without proper permissions.'}, {'type': 'list_item', 'content': 'Send a crafted POST request to /openemr/interface/orders/types_edit.php with parameters such as form_save and procedure details to test if procedure types can be added or modified without authorization.'}, {'type': 'list_item', 'content': 'Example curl commands:'}, {'type': 'list_item', 'content': 'curl -u receptionist:password -X GET https://your-openemr-server/openemr/interface/orders/types_ajax.php'}, {'type': 'list_item', 'content': "curl -u receptionist:password -X POST https://your-openemr-server/openemr/interface/orders/types_edit.php -d 'form_save=1&typeid=0&procedure_name=TestProcedure'"}, {'type': 'paragraph', 'content': 'If these commands succeed in viewing or modifying procedure types without admin privileges, the system is vulnerable.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Upgrade OpenEMR to version 8.0.0 or later, where the vulnerability is patched.
• Restrict access to the /openemr/interface/orders/types_edit.php and /openemr/interface/orders/types_ajax.php endpoints to authorized users only, enforcing proper role-based access control.
• Implement or verify that Cross-Site Request Forgery (CSRF) protections are in place on form submissions related to procedure type management.
• Monitor logs for unauthorized access attempts to these endpoints and block suspicious IPs or users.

These steps will help prevent unauthorized users from adding, modifying, or deleting procedure types and protect the integrity of the ordering system.

Useful 0 Not Useful 0