CVE-2026-24487

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0

Description OpenEMR is an electronic health records and medical practice management application. A flaw exists where patient-scoped FHIR tokens can access care team data for all patients instead of being limited to the authenticated patient’s data. This is due to the FhirCareTeamService not implementing the IPatientCompartmentResourceService interface and failing to pass the patient binding parameter, bypassing patient compartment filtering. This could result in unauthorized disclosure of Protected Health Information (PHI), including patient-provider relationships and care team structures. The vulnerable endpoint is the FHIR CareTeam resource endpoint.

Recommendations Update to version 8.0.0 or later.