CVE-2026-25135

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0

Description OpenEMR is an electronic health records and medical practice management application. Versions prior to 8.0.0 have an information disclosure issue that exposes contact information for users, organizations, and patients to individuals with the system/(Group,Patient,*).$export operation and system/Location.read capabilities. This disclosure requires a confidential client with secure key exchange, which needs to be enabled and granted permission by an administrator. This typically occurs in server-server communication between trusted clients with existing legal agreements. The vulnerable functionality involves the $export operation and the system/Location.read capability.

Recommendations Disable clients that have the vulnerable scopes. Only allow clients that do not have the system/Location.read scope until a fix has been deployed.