CVE-2026-24890

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0

Description OpenEMR is an electronic health records and medical practice management application. An authorization bypass in the patient portal signature endpoint allows authenticated portal users to upload and overwrite provider signatures. This is achieved by setting the type parameter to admin-signature and specifying any provider user ID. This could lead to signature forgery on medical documents, legal compliance violations, and fraud. The issue occurs because portal users are allowed to modify provider signatures without proper authorization checks. The vulnerable parameter is type.

Recommendations Update to version 8.0.0 or later.