CVE-2026-24908

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute arbitrary SQL queries through the `_sort` parameter. This could potentially lead to database access, PHI (Protected Health Information) exposure, and credential compromise. The issue occurs when user-supplied sort field names are used in ORDER BY clauses without proper validation or identifier escaping. Version 8.0.0 fixes the issue.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/openemr/openemr/commit/943e23cad6e979f87cdf168807fce2a7b32dd194	Patch
https://github.com/openemr/openemr/security/advisories/GHSA-rcc2-45v3-qmqm	Exploit Vendor Advisory
https://github.com/openemr/openemr/security/advisories/GHSA-rcc2-45v3-qmqm	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-25 19:43

Updated : 2026-02-27 14:42

NVD link : CVE-2026-24908

Mitre link : CVE-2026-24908

CVE.ORG link : CVE-2026-24908

JSON object : View

Products Affected

open-emr

openemr

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2026-24908", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-02-25T19:43:21.657", "references": [{"url": "https://github.com/openemr/openemr/commit/943e23cad6e979f87cdf168807fce2a7b32dd194", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-rcc2-45v3-qmqm", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-rcc2-45v3-qmqm", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute arbitrary SQL queries through the `_sort` parameter. This could potentially lead to database access, PHI (Protected Health Information) exposure, and credential compromise. The issue occurs when user-supplied sort field names are used in ORDER BY clauses without proper validation or identifier escaping. Version 8.0.0 fixes the issue."}, {"lang": "es", "value": "OpenEMR es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto de registros de salud electr\u00f3nicos y gesti\u00f3n de consultorios m\u00e9dicos. Antes de la versi\u00f3n 8.0.0, una vulnerabilidad de inyecci\u00f3n SQL en el endpoint de la API REST de Pacientes permite a usuarios autenticados con acceso a la API ejecutar consultas SQL arbitrarias a trav\u00e9s del par\u00e1metro '_sort'. Esto podr\u00eda potencialmente llevar a acceso a la base de datos, exposici\u00f3n de PHI (Informaci\u00f3n de Salud Protegida) y compromiso de credenciales. El problema ocurre cuando los nombres de campos de ordenaci\u00f3n proporcionados por el usuario se utilizan en cl\u00e1usulas ORDER por sin una validaci\u00f3n adecuada o escape de identificadores. La versi\u00f3n 8.0.0 corrige el problema."}], "lastModified": "2026-02-27T14:42:29.287", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FEAA9896-A42E-437C-BEE8-8DA955E34385", "versionEndExcluding": "8.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}