CVE-2026-25745

Name of the Vulnerable Software and Affected Versions OpenEMR versions up to and including 8.0.0

Description OpenEMR is an electronic health records and medical practice management application. In versions up to and including 8.0.0, the message/note update endpoint does not verify that the message belongs to the current patient or that the user is authorized to edit the patient’s notes. An authenticated user with notes permission can modify any patient’s messages by providing another message ID. The vulnerable endpoint is a PUT or POST request to the message/note update endpoint. The vulnerable parameter is the message/note ID. Commit 92a2ff9eaaa80674b3a934a6556e35e7aded5a41 contains a fix for the issue.

Recommendations Update to a version later than 8.0.0.