Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25927 is a high-severity authorization bypass vulnerability in the OpenEMR DICOM viewer state API affecting versions prior to 8.0.0.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the API accepts a document ID (doc_id) without verifying that the document belongs to the current user's authorized patient or encounter."}, {'type': 'paragraph', 'content': 'This means an authenticated user with access to the DICOM viewer can read or modify the viewer state (such as annotations and view settings) for any document by guessing or enumerating document IDs belonging to other patients.'}, {'type': 'paragraph', 'content': 'The root cause is an Insecure Direct Object Reference (IDOR) vulnerability where the system fails to enforce patient or encounter-level access controls, allowing unauthorized access to protected health information.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure and tampering of protected health information (PHI) and imaging metadata.

An attacker who is an authenticated user with DICOM viewer permissions can access or modify sensitive medical images and related data of other patients without proper authorization.

This compromises patient privacy and data integrity, potentially leading to misuse of medical information or incorrect medical decisions based on altered data.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the DICOM viewer state API with a document ID (doc_id) that belongs to another patient and observing if the API returns or updates the state for that document without proper authorization.'}, {'type': 'paragraph', 'content': 'A proof of concept involves logging in as a user with DICOM viewer permissions and then making a request such as:'}, {'type': 'list_item', 'content': 'GET /controller.php?document&view&patient_id=1&doc_id=300'}, {'type': 'paragraph', 'content': "If the API returns data or allows modification for a doc_id that does not belong to the authenticated user's authorized patient or encounter, the vulnerability is confirmed."}, {'type': 'paragraph', 'content': 'The expected secure behavior is that the server verifies the document’s patient or encounter ownership and user authorization, returning HTTP 403 if unauthorized.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

At the time of the advisory, no patch or fixed version is available.

Immediate mitigation steps include restricting access to the DICOM viewer state API to only fully trusted users and monitoring API usage for suspicious requests involving document ID enumeration.

Additionally, consider implementing network-level controls such as firewall rules or API gateways to limit access to the vulnerable endpoints.

Plan to upgrade to OpenEMR version 8.0.0 or later once it becomes available, as it contains the fix that properly verifies document ownership and user authorization.

Useful 0 Not Useful 0