CVE-2026-25929
Received Received - Intake
Unauthorized Access in OpenEMR Patient Picture Document Controller

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the document controller’s `patient_picture` context serves the patient’s photo by document ID or patient ID without verifying that the current user is authorized to access that patient. An authenticated user with document ACL can supply another patient’s ID and retrieve their photo. Version 8.0.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25929
EUVD
EUVD-2026-8716
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25929 is an authorization bypass vulnerability in OpenEMR versions prior to 8.0.0. The issue occurs in the document controller's 'patient_picture' context, where the system serves patient photos based on a document ID or patient ID supplied in the request without properly verifying that the authenticated user is authorized to access that patient's data."}, {'type': 'paragraph', 'content': "Specifically, an authenticated user with document access control list (ACL) permissions can supply another patient's ID and retrieve their photo, bypassing proper authorization checks. This happens because the access control only verifies category-level permissions and does not confirm that the document's linked patient matches the authorized patient for the user."}, {'type': 'paragraph', 'content': 'The vulnerability is classified as an Insecure Direct Object Reference (IDOR) and is caused by missing patient ID authorization checks when serving patient pictures.'}] [2, 1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of protected health information (PHI), specifically patient photos, to any authenticated user who has document access permissions.

An attacker or unauthorized user can exploit this flaw to access sensitive patient images by supplying arbitrary patient IDs, potentially violating patient privacy and confidentiality.

The impact is significant because it exposes confidential patient data without proper authorization, which can undermine trust in the healthcare system and lead to privacy breaches.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to access patient photos using patient IDs other than the authenticated user's authorized patient ID. Specifically, an authenticated user with document access can try to retrieve photos of other patients by sending crafted HTTP GET requests to the document controller."}, {'type': 'paragraph', 'content': 'A proof of concept command to test for this vulnerability is to send a GET request similar to the following:'}, {'type': 'list_item', 'content': "curl -i -G 'http://<openemr-server>/controller.php' --data-urlencode 'document' --data-urlencode 'retrieve' --data-urlencode 'patient_id=456' --data-urlencode 'document_id=-1' --data-urlencode 'as_file=false' --data-urlencode 'original_file=true' --data-urlencode 'disable_exit=false' --data-urlencode 'show_original=true' --data-urlencode 'context=patient_picture'"}, {'type': 'paragraph', 'content': 'If the server responds with the photo of the specified patient ID (e.g., patient_id=456) despite the authenticated user not being authorized for that patient, it confirms the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring system logs for warnings or security access events related to unauthorized patient picture access attempts can help detect exploitation attempts.'}] [2, 1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade OpenEMR to version 8.0.0 or later, where this vulnerability is fixed by enforcing strict authorization checks on patient picture retrieval.'}, {'type': 'paragraph', 'content': "If upgrading is not immediately possible, restrict access to the document controller's patient picture retrieval functionality to only trusted users and monitor for suspicious access attempts."}, {'type': 'paragraph', 'content': 'Implement network-level controls such as firewall rules or application-level access controls to limit who can send requests to the vulnerable endpoints.'}, {'type': 'paragraph', 'content': 'Review and audit user permissions to ensure that only necessary users have document ACL permissions, reducing the risk of unauthorized access.'}, {'type': 'paragraph', 'content': 'Enable and review logging and auditing features to detect unauthorized access attempts, as the patched version logs warnings and security events for such attempts.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25929. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart