CVE-2026-25929
Unauthorized Access in OpenEMR Patient Picture Document Controller
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-25929 is an authorization bypass vulnerability in OpenEMR versions prior to 8.0.0. The issue occurs in the document controller's 'patient_picture' context, where the system serves patient photos based on a document ID or patient ID supplied in the request without properly verifying that the authenticated user is authorized to access that patient's data."}, {'type': 'paragraph', 'content': "Specifically, an authenticated user with document access control list (ACL) permissions can supply another patient's ID and retrieve their photo, bypassing proper authorization checks. This happens because the access control only verifies category-level permissions and does not confirm that the document's linked patient matches the authorized patient for the user."}, {'type': 'paragraph', 'content': 'The vulnerability is classified as an Insecure Direct Object Reference (IDOR) and is caused by missing patient ID authorization checks when serving patient pictures.'}] [2, 1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of protected health information (PHI), specifically patient photos, to any authenticated user who has document access permissions.
An attacker or unauthorized user can exploit this flaw to access sensitive patient images by supplying arbitrary patient IDs, potentially violating patient privacy and confidentiality.
The impact is significant because it exposes confidential patient data without proper authorization, which can undermine trust in the healthcare system and lead to privacy breaches.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to access patient photos using patient IDs other than the authenticated user's authorized patient ID. Specifically, an authenticated user with document access can try to retrieve photos of other patients by sending crafted HTTP GET requests to the document controller."}, {'type': 'paragraph', 'content': 'A proof of concept command to test for this vulnerability is to send a GET request similar to the following:'}, {'type': 'list_item', 'content': "curl -i -G 'http://<openemr-server>/controller.php' --data-urlencode 'document' --data-urlencode 'retrieve' --data-urlencode 'patient_id=456' --data-urlencode 'document_id=-1' --data-urlencode 'as_file=false' --data-urlencode 'original_file=true' --data-urlencode 'disable_exit=false' --data-urlencode 'show_original=true' --data-urlencode 'context=patient_picture'"}, {'type': 'paragraph', 'content': 'If the server responds with the photo of the specified patient ID (e.g., patient_id=456) despite the authenticated user not being authorized for that patient, it confirms the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring system logs for warnings or security access events related to unauthorized patient picture access attempts can help detect exploitation attempts.'}] [2, 1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade OpenEMR to version 8.0.0 or later, where this vulnerability is fixed by enforcing strict authorization checks on patient picture retrieval.'}, {'type': 'paragraph', 'content': "If upgrading is not immediately possible, restrict access to the document controller's patient picture retrieval functionality to only trusted users and monitor for suspicious access attempts."}, {'type': 'paragraph', 'content': 'Implement network-level controls such as firewall rules or application-level access controls to limit who can send requests to the vulnerable endpoints.'}, {'type': 'paragraph', 'content': 'Review and audit user permissions to ensure that only necessary users have document ACL permissions, reducing the risk of unauthorized access.'}, {'type': 'paragraph', 'content': 'Enable and review logging and auditing features to detect unauthorized access attempts, as the patched version logs warnings and security events for such attempts.'}] [1, 2]