CVE-2026-25164
Received Received - Intake
Authorization Bypass in OpenEMR REST API Exposes PHI

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in `apis/routes/_rest_routes_standard.inc.php` does not call `RestConfig::request_authorization_check()` for the document and insurance routes. Other patient routes in the same file (e.g. encounters, patients/med) call it with the appropriate ACL. As a result, any valid API bearer token can access or modify every patient's documents and insurance data, regardless of the token’s OpenEMR ACLsβ€”effectively exposing all document and insurance PHI to any authenticated API client. Version 8.0.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-05-07
AI Q&A
2026-02-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25164
EUVD
EUVD-2026-8704
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "The vulnerability in OpenEMR prior to version 8.0.0 involves missing authorization checks in certain REST API routes related to patient documents and insurance data. Specifically, the routes handling these resources did not call the function responsible for enforcing Access Control List (ACL) permissions, allowing any valid API bearer token to access or modify all patients' documents and insurance information regardless of the token's assigned permissions."}, {'type': 'paragraph', 'content': 'This means that API endpoints such as those for adding, retrieving, or modifying patient documents and insurance data were accessible without proper authorization validation, exposing sensitive patient health information (PHI) and insurance details to unauthorized users who possess any valid API token.'}] [1, 2]


How can this vulnerability impact me? :

This vulnerability can have severe impacts by allowing unauthorized access and modification of sensitive patient documents and insurance data. Any authenticated API client with a valid bearer token, even with minimal permissions, can read, upload, or alter protected health information (PHI) and insurance details for any patient.

  • Unauthorized reading of all patient documents and insurance data.
  • Unauthorized modification or uploading of patient documents.
  • Unauthorized swapping or changing of insurance assignments.

This exposure can lead to privacy breaches, data integrity issues, and potential misuse of sensitive medical and financial information.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring API calls to the affected OpenEMR REST API endpoints that handle patient documents and insurance data without proper authorization checks.'}, {'type': 'paragraph', 'content': 'Specifically, suspicious or unauthorized access can be identified by checking for API requests using valid bearer tokens to the following endpoints:'}, {'type': 'list_item', 'content': 'GET /api/patient/<patient_id>/document?path=/ (listing documents)'}, {'type': 'list_item', 'content': 'GET /api/patient/<patient_id>/document/<document_id> (downloading documents)'}, {'type': 'list_item', 'content': 'POST /api/patient/<patient_id>/document (adding or modifying documents)'}, {'type': 'list_item', 'content': 'GET /api/patient/<patient_uuid>/insurance (retrieving insurance data)'}, {'type': 'list_item', 'content': 'GET /api/patient/<patient_uuid>/insurance/$swap-insurance?type=primary&uuid=<insurance_uuid> (swapping insurance assignments)'}, {'type': 'paragraph', 'content': 'Commands to detect exploitation attempts could include inspecting web server or API gateway logs for these endpoints accessed with bearer tokens, for example using grep or similar tools:'}, {'type': 'list_item', 'content': "grep -i 'GET /api/patient/.*/document' /var/log/openemr_access.log"}, {'type': 'list_item', 'content': "grep -i 'POST /api/patient/.*/document' /var/log/openemr_access.log"}, {'type': 'list_item', 'content': "grep -i 'GET /api/patient/.*/insurance' /var/log/openemr_access.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual or unauthorized bearer tokens accessing these endpoints can help detect exploitation.'}] [2]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade OpenEMR to version 8.0.0 or later, where the missing authorization checks have been added to the affected REST API routes.

If upgrading immediately is not possible, consider disabling or restricting access to the vulnerable API endpoints related to patient documents and insurance data until a patch can be applied.

Additionally, review and restrict API bearer tokens to only trusted clients and monitor API usage closely for suspicious activity.

Applying network-level controls such as firewall rules or API gateway policies to limit access to these endpoints can also reduce risk.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart