CVE-2026-25146
Received Received - Intake
Plaintext Exposure of gateway_api_key in OpenEMR Enables Account Takeover

Publication date: 2026-03-03

Last updated on: 2026-03-04

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret value is rendered to the client in plaintext. These secret keys being leaked could result in arbitrary money movement or broad account takeover of payment gateway APIs. This vulnerability is fixed in 8.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25146
EUVD
EUVD-2026-9329
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr From 5.0.2 (inc) to 8.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenEMR versions from 5.0.2 up to but not including 8.0.0. It involves the gateway_api_key secret value being exposed to the client in plaintext through at least two different paths. This means that sensitive secret keys used for payment gateway APIs can be leaked.

Because these secret keys are exposed, an attacker could potentially use them to perform unauthorized actions such as moving money arbitrarily or taking over payment gateway accounts.

The issue has been fixed in version 8.0.0 of OpenEMR.

Impact Analysis

The impact of this vulnerability is severe because leaked gateway_api_key secrets can lead to unauthorized financial transactions or broad account takeover of payment gateway APIs.

This could result in arbitrary money movement, meaning attackers could transfer funds without permission, causing financial loss and damage to the affected organization.

Additionally, the compromise of payment gateway accounts could lead to further exploitation or fraud.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenEMR to version 8.0.0 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25146. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart