CVE-2026-25927

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0

Description OpenEMR is an electronic health records and medical practice management application. Versions prior to 8.0.0 have an issue where the DICOM viewer state API does not verify if a document belongs to the current user’s authorized patient or encounter when accepting a document ID (doc id). This allows an authenticated user to read or modify DICOM viewer state, such as annotations and view settings, for any document by enumerating document IDs. The API endpoints affected include those for uploading or saving/loading DICOM viewer state.

Recommendations Update to version 8.0.0 or later.