CVE-2026-25164

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0

Description OpenEMR is an electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in apis/routes/ rest routes standard.inc.php does not call RestConfig::request authorization check() for document and insurance routes. This allows any valid API bearer token to access or modify patient documents and insurance data, regardless of assigned permissions, potentially exposing Protected Health Information (PHI). The vulnerable routes do not perform appropriate access control verification. The RestConfig::request authorization check() function is not invoked for specific API endpoints.

Recommendations Versions prior to 8.0.0 should be updated to version 8.0.0 or later.