CVE-2026-25164
Received Received - Intake
Authorization Bypass in OpenEMR REST API Exposes PHI

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in `apis/routes/_rest_routes_standard.inc.php` does not call `RestConfig::request_authorization_check()` for the document and insurance routes. Other patient routes in the same file (e.g. encounters, patients/med) call it with the appropriate ACL. As a result, any valid API bearer token can access or modify every patient's documents and insurance data, regardless of the token’s OpenEMR ACLsβ€”effectively exposing all document and insurance PHI to any authenticated API client. Version 8.0.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25164
EUVD
EUVD-2026-8704
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "The vulnerability in OpenEMR prior to version 8.0.0 involves missing authorization checks in certain REST API routes related to patient documents and insurance data. Specifically, the routes handling these resources did not call the function responsible for enforcing Access Control List (ACL) permissions, allowing any valid API bearer token to access or modify all patients' documents and insurance information regardless of the token's assigned permissions."}, {'type': 'paragraph', 'content': 'This means that API endpoints such as those for adding, retrieving, or modifying patient documents and insurance data were accessible without proper authorization validation, exposing sensitive patient health information (PHI) and insurance details to unauthorized users who possess any valid API token.'}] [1, 2]

Impact Analysis

This vulnerability can have severe impacts by allowing unauthorized access and modification of sensitive patient documents and insurance data. Any authenticated API client with a valid bearer token, even with minimal permissions, can read, upload, or alter protected health information (PHI) and insurance details for any patient.

  • Unauthorized reading of all patient documents and insurance data.
  • Unauthorized modification or uploading of patient documents.
  • Unauthorized swapping or changing of insurance assignments.

This exposure can lead to privacy breaches, data integrity issues, and potential misuse of sensitive medical and financial information.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring API calls to the affected OpenEMR REST API endpoints that handle patient documents and insurance data without proper authorization checks.'}, {'type': 'paragraph', 'content': 'Specifically, suspicious or unauthorized access can be identified by checking for API requests using valid bearer tokens to the following endpoints:'}, {'type': 'list_item', 'content': 'GET /api/patient/<patient_id>/document?path=/ (listing documents)'}, {'type': 'list_item', 'content': 'GET /api/patient/<patient_id>/document/<document_id> (downloading documents)'}, {'type': 'list_item', 'content': 'POST /api/patient/<patient_id>/document (adding or modifying documents)'}, {'type': 'list_item', 'content': 'GET /api/patient/<patient_uuid>/insurance (retrieving insurance data)'}, {'type': 'list_item', 'content': 'GET /api/patient/<patient_uuid>/insurance/$swap-insurance?type=primary&uuid=<insurance_uuid> (swapping insurance assignments)'}, {'type': 'paragraph', 'content': 'Commands to detect exploitation attempts could include inspecting web server or API gateway logs for these endpoints accessed with bearer tokens, for example using grep or similar tools:'}, {'type': 'list_item', 'content': "grep -i 'GET /api/patient/.*/document' /var/log/openemr_access.log"}, {'type': 'list_item', 'content': "grep -i 'POST /api/patient/.*/document' /var/log/openemr_access.log"}, {'type': 'list_item', 'content': "grep -i 'GET /api/patient/.*/insurance' /var/log/openemr_access.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual or unauthorized bearer tokens accessing these endpoints can help detect exploitation.'}] [2]

Mitigation Strategies

The immediate mitigation step is to upgrade OpenEMR to version 8.0.0 or later, where the missing authorization checks have been added to the affected REST API routes.

If upgrading immediately is not possible, consider disabling or restricting access to the vulnerable API endpoints related to patient documents and insurance data until a patch can be applied.

Additionally, review and restrict API bearer tokens to only trusted clients and monitor API usage closely for suspicious activity.

Applying network-level controls such as firewall rules or API gateway policies to limit access to these endpoints can also reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25164. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart