EXECUTIVE SUMMARY:
Three vulnerabilities have been uncovered in OpenEMR medical software, which is used worldwide by healthcare providers to store patient data. The flaws include a range of issues such as missing or incorrect authorization, cross-site scripting (XSS), SQL injection, path traversal, and session expiration weaknesses. In the most severe cases, these vulnerabilities could lead to full database compromise, large-scale patient data exfiltration, and remote code execution on the server. The potential business risk and impact are significant, as sensitive patient information could be compromised, leading to reputational damage, financial losses, and potential harm to patients. CVE-2026-24908 with a CVSS score of 9.9 – It involves an SQL injection vulnerability in the Patient REST API of OpenEMR, allowing authenticated users to execute arbitrary SQL queries via the _sort parameter. The flaw arises from improper validation and lack of escaping of user-supplied input used in ORDER BY clauses.Successful exploitation could lead to database access, exposure of protected health information (PHI), and credential compromise. CVE-2026-23627 with a CVSS score of 8.8 – It is an SQL injection vulnerability in the Immunization module of OpenEMR that allows authenticated users to execute arbitrary SQL queries. The issue stems from improper handling of user-supplied patient_id values, which are directly concatenated into SQL WHERE clauses without parameterization or escaping. Exploitation can result in complete database compromise, PHI exfiltration, credential theft, and potential remote code execution.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Three vulnerabilities have been uncovered in OpenEMR medical software, which is used worldwide by healthcare providers to store patient data. The flaws include a range of issues such as missing or incorrect authorization, cross-site scripting (XSS), SQL injection, path traversal, and session expiration weaknesses. In the most severe cases, these vulnerabilities could lead to full database compromise, large-scale patient data exfiltration, and remote code execution on the server. The potential business risk and impact are significant, as sensitive patient information could be compromised, leading to reputational damage, financial losses, and potential harm to patients. CVE-2026-24908 with a CVSS score of 9.9 – It involves an SQL injection vulnerability in the Patient REST API of OpenEMR, allowing authenticated users to execute arbitrary SQL queries via the _sort parameter. The flaw arises from improper validation and lack of escaping of user-supplied input used in ORDER BY clauses.Successful exploitation could lead to database access, exposure of protected health information (PHI), and credential compromise. CVE-2026-23627 with a CVSS score of 8.8 – It is an SQL injection vulnerability in the Immunization module of OpenEMR that allows authenticated users to execute arbitrary SQL queries. The issue stems from improper handling of user-supplied patient_id values, which are directly concatenated into SQL WHERE clauses without parameterization or escaping. Exploitation can result in complete database compromise, PHI exfiltration, credential theft, and potential remote code execution.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update OpenEMR to version 8.0.0.3 or later.
REFERENCES:
The following reports contain further technical details:
https://www.securityweek.com/38-vulnerabilities-found-in-openemr-medical-software/