CVE-2026-25146
Received Received - Intake
Plaintext Exposure of gateway_api_key in OpenEMR Enables Account Takeover

Publication date: 2026-03-03

Last updated on: 2026-03-04

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret value is rendered to the client in plaintext. These secret keys being leaked could result in arbitrary money movement or broad account takeover of payment gateway APIs. This vulnerability is fixed in 8.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-04
Generated
2026-05-07
AI Q&A
2026-03-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25146
EUVD
EUVD-2026-9329
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr From 5.0.2 (inc) to 8.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in OpenEMR versions from 5.0.2 up to but not including 8.0.0. It involves the gateway_api_key secret value being exposed to the client in plaintext through at least two different paths. This means that sensitive secret keys used for payment gateway APIs can be leaked.

Because these secret keys are exposed, an attacker could potentially use them to perform unauthorized actions such as moving money arbitrarily or taking over payment gateway accounts.

The issue has been fixed in version 8.0.0 of OpenEMR.


How can this vulnerability impact me? :

The impact of this vulnerability is severe because leaked gateway_api_key secrets can lead to unauthorized financial transactions or broad account takeover of payment gateway APIs.

This could result in arbitrary money movement, meaning attackers could transfer funds without permission, causing financial loss and damage to the affected organization.

Additionally, the compromise of payment gateway accounts could lead to further exploitation or fraud.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade OpenEMR to version 8.0.0 or later, where the issue has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart