CVE-2026-29187
Blind SQL Injection in OpenEMR Patient Search Allows Data Manipulation
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Blind SQL Injection found in the Patient Search functionality of OpenEMR versions prior to 8.0.0.3. It allows an authenticated attacker to execute arbitrary SQL commands by manipulating the HTTP parameter keys instead of the values.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access and manipulation of the database, potentially exposing or altering sensitive patient data. Since the CVSS score indicates high confidentiality and integrity impact, an attacker could steal or modify critical health records.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenEMR to version 8.0.0.3 or later, as this version contains the patch that fixes the Blind SQL Injection vulnerability in the Patient Search functionality.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Blind SQL Injection in the Patient Search functionality of OpenEMR, which allows an authenticated attacker to execute arbitrary SQL commands. Given that OpenEMR is an electronic health records application, exploitation of this vulnerability could lead to unauthorized access or manipulation of sensitive patient data.
Such unauthorized access or data manipulation can compromise the confidentiality and integrity of protected health information (PHI), potentially violating regulations like HIPAA that mandate strict safeguards for patient data.
Similarly, if personal data of EU residents is involved, this vulnerability could lead to breaches of GDPR requirements concerning data protection and privacy.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the Patient Search functionality in OpenEMR, specifically targeting the HTTP parameters whose keys start with the prefix 'mf_'. An authenticated user can attempt to inject SQL commands by manipulating these parameter keys rather than their values.
A common detection method involves sending crafted HTTP requests to the vulnerable endpoint (/interface/new/new_search_popup.php) with parameter keys designed to test for Boolean-based blind SQL injection. For example, you can send requests that check if the database name starts with a certain letter and observe the application's response to infer if the injection is successful.
Example command using curl to test for SQL injection by manipulating parameter keys:
- curl -i -X POST 'https://your-openemr-instance/interface/new/new_search_popup.php' -d 'mf_dbname`=test' -d 'mf_fname=John'
- curl -i -X POST 'https://your-openemr-instance/interface/new/new_search_popup.php' -d 'mf_dbname` LIKE BINARY "a%"-- =1' -d 'mf_fname=John'
By varying the injected SQL in the parameter keys and analyzing the response differences (such as changes in search results or error messages), you can detect the presence of the Blind SQL Injection vulnerability.
Note that these tests require authentication since the vulnerability requires an authenticated attacker.