CVE-2026-25927
Insecure Direct Object Reference in OpenEMR DICOM Viewer
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25927 is a high-severity authorization bypass vulnerability in the OpenEMR DICOM viewer state API affecting versions prior to 8.0.0.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the API accepts a document ID (doc_id) without verifying that the document belongs to the current user's authorized patient or encounter."}, {'type': 'paragraph', 'content': 'This means an authenticated user with access to the DICOM viewer can read or modify the viewer state (such as annotations and view settings) for any document by guessing or enumerating document IDs belonging to other patients.'}, {'type': 'paragraph', 'content': 'The root cause is an Insecure Direct Object Reference (IDOR) vulnerability where the system fails to enforce patient or encounter-level access controls, allowing unauthorized access to protected health information.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure and tampering of protected health information (PHI) and imaging metadata.
An attacker who is an authenticated user with DICOM viewer permissions can access or modify sensitive medical images and related data of other patients without proper authorization.
This compromises patient privacy and data integrity, potentially leading to misuse of medical information or incorrect medical decisions based on altered data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the DICOM viewer state API with a document ID (doc_id) that belongs to another patient and observing if the API returns or updates the state for that document without proper authorization.'}, {'type': 'paragraph', 'content': 'A proof of concept involves logging in as a user with DICOM viewer permissions and then making a request such as:'}, {'type': 'list_item', 'content': 'GET /controller.php?document&view&patient_id=1&doc_id=300'}, {'type': 'paragraph', 'content': "If the API returns data or allows modification for a doc_id that does not belong to the authenticated user's authorized patient or encounter, the vulnerability is confirmed."}, {'type': 'paragraph', 'content': 'The expected secure behavior is that the server verifies the documentβs patient or encounter ownership and user authorization, returning HTTP 403 if unauthorized.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
At the time of the advisory, no patch or fixed version is available.
Immediate mitigation steps include restricting access to the DICOM viewer state API to only fully trusted users and monitoring API usage for suspicious requests involving document ID enumeration.
Additionally, consider implementing network-level controls such as firewall rules or API gateways to limit access to the vulnerable endpoints.
Plan to upgrade to OpenEMR version 8.0.0 or later once it becomes available, as it contains the fix that properly verifies document ownership and user authorization.