CVE-2026-25929

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0

Description OpenEMR is an electronic health records and medical practice management application. Before version 8.0.0, the patient picture context in the document controller did not verify user authorization when serving patient photos by document ID or patient ID. This allowed an authenticated user with document access control to retrieve photos of other patients by supplying their ID. The vulnerable component is the document controller’s patient picture context. The affected parameter is the patient ID.

Recommendations Update to version 8.0.0 or later.