CVE-2026-25131

CVSS v3.1

8.8

High

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0

Description A Broken Access Control issue exists in the OpenEMR order types management system. Low-privilege users, such as Receptionists, can add and modify procedure types without proper authorization. This is due to insufficient access controls in the /openemr/interface/orders/types edit.php API endpoint. The vulnerability allows unauthorized manipulation of medical procedure types.

Recommendations Update to version 8.0.0 or later.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-25131

GHSA-6H2M-4PPF-PH4J

Affected Products

Openemr

CVE-2026-25131

Weakness Enumeration

Related Identifiers

Affected Products

References · 11