CVE-2026-25746
SQL Injection in OpenEMR Prescription Module Allows Data Manipulation
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or malicious SQL injection attempts in the prescription listing functionality, specifically targeting the "sort" parameter in HTTP requests.'}, {'type': 'paragraph', 'content': 'Detection can involve analyzing web server logs or network traffic for suspicious payloads that inject SQL syntax errors, time delays (e.g., SLEEP(5)), or boolean-based blind SQL injection patterns in the "sort" parameter.'}, {'type': 'paragraph', 'content': 'Example commands to detect exploitation attempts include using tools like curl or wget to test injection points or using network monitoring tools to filter HTTP requests with suspicious "sort" parameter values.'}, {'type': 'list_item', 'content': "Use curl to test injection in the sort parameter: curl -i -X GET 'http://<openemr-server>/controller.php?controller=prescription&action=list&sort=SLEEP(5)--'"}, {'type': 'list_item', 'content': 'Search web server logs for SQL error messages or suspicious patterns related to the sort parameter.'}, {'type': 'list_item', 'content': 'Use intrusion detection systems (IDS) or web application firewalls (WAF) to alert on SQL injection patterns targeting the prescription listing endpoints.'}] [2, 5]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25746 is a SQL injection vulnerability in OpenEMR versions prior to 8.0.0, specifically in the prescription listing functionality. The vulnerability arises because the user-supplied "sort" parameter is directly concatenated into SQL queries without proper sanitization or escaping. This allows authenticated attackers with standard prescription permissions to inject arbitrary SQL code into the ORDER BY clause of a query.'}, {'type': 'paragraph', 'content': 'The flaw is due to insufficient input validation in the prescription listing feature, where the "sort" parameter is not properly neutralized, enabling attackers to manipulate SQL queries to extract sensitive data or cause other malicious effects.'}, {'type': 'paragraph', 'content': 'Exploitation techniques include syntax error injection, boolean-based blind SQL injection, and time-based injection using SQL functions like SLEEP(). Attackers can extract sensitive information such as usernames and hashed passwords from the database.'}] [2, 5]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including unauthorized access to sensitive medical and user data stored in the OpenEMR system.'}, {'type': 'paragraph', 'content': 'Attackers exploiting this SQL injection can extract confidential information such as usernames and password hashes, potentially leading to full database compromise.'}, {'type': 'paragraph', 'content': "In some cases, exploitation may allow server-side code execution, further compromising the system's integrity and availability."}, {'type': 'paragraph', 'content': 'Because the vulnerability requires only standard authenticated permissions, it lowers the barrier for attackers to exploit the system.'}] [2, 5]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation step is to upgrade OpenEMR to version 8.0.0 or later, where this SQL injection vulnerability in the prescription listing functionality has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, restrict access to the prescription listing functionality to trusted authenticated users only, and monitor for suspicious activity.'}, {'type': 'paragraph', 'content': 'Implement web application firewall (WAF) rules to block or alert on suspicious SQL injection payloads targeting the "sort" parameter.'}, {'type': 'paragraph', 'content': 'Review and apply the patch that sanitizes and validates the "order_by" parameter by whitelisting allowed columns and sort directions, as described in the official fix.'}] [4, 5]