CVE-2026-24488

Name of the Vulnerable Software and Affected Versions OpenEMR versions up to and including 8.0.0

Description OpenEMR is an electronic health records and medical practice management application. A flaw in the fax sending functionality allows any authenticated user to read and transmit any file on the server to a phone number controlled by an attacker. This is possible because the endpoint accepts arbitrary file paths from user input and streams them to the fax gateway without proper restrictions or authorization. The vulnerable endpoint is the fax sending endpoint. The issue allows access to files such as database credentials, patient documents, system files, and source code.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.