CVE-2026-25744

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.2

Description OpenEMR is an electronic health records and medical practice management application. The encounter vitals API endpoint, /encounter/vitals, accepts an id parameter in the request body. Prior to version 8.0.0.2, the application does not verify if the vital sign data associated with the provided id belongs to the current patient or encounter. This allows an authenticated user with encounters/notes permission to potentially overwrite any patient's vitals by supplying another patient's vital id, leading to medical record tampering.

Recommendations Update to version 8.0.0.2 or later.