CVE-2026-25135
Information Disclosure in OpenEMR Prior to 8.0.0 via Export Permissions
Publication date: 2026-02-25
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25135 is an information disclosure vulnerability in OpenEMR versions prior to 8.0.0. It occurs in the Location resource related to the Group.$export operation, which improperly exposes the entire contact information of all users, organizations, and patients in the system.
Exploitation requires possession of both the system/(Group,Patient,*).$export operation and system/Location.read capabilities, which are only granted in highly trusted environments with confidential clients and secure key exchange. An administrator must enable and grant these permissions, typically in server-to-server communications between legally trusted clients.
The vulnerability allows unauthorized disclosure of sensitive contact data but does not affect data integrity or availability. It has a moderate severity with a CVSS v3.1 base score of 4.5.
How can this vulnerability impact me? :
This vulnerability can lead to the unauthorized disclosure of sensitive contact information for all users, organizations, and patients stored in the OpenEMR system.
Because it exposes confidential contact data, it can compromise privacy and confidentiality within healthcare environments, potentially leading to data breaches.
However, exploitation requires high privileges and trusted client permissions, so the risk is limited to environments where these elevated permissions are granted.
Mitigation involves upgrading to OpenEMR version 8.0.0 or later or disabling clients with the vulnerable scopes until the patch is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to the system/(Group,Patient,*).$export operation and system/Location.read capabilities, which leak contact information of all users, organizations, and patients.
Detection would involve monitoring for usage of these specific API operations or scopes by clients, especially those with elevated privileges and confidential client credentials.
Since exploitation requires administrator-enabled permissions and secure key exchange, detection can focus on auditing clients that have the system/Location.read scope or the system/(Group,Patient,*).$export operation enabled.
Specific commands are not provided in the available resources, but administrators should review client permissions and logs for any access to these operations or scopes.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade OpenEMR to version 8.0.0 or later, which contains the patch addressing this vulnerability.
As an immediate workaround before upgrading, disable clients that have the vulnerable scopes, specifically those with system/Location.read access.
Only allow clients that do not have the system/Location.read scope until the patch is deployed.