CVE-2026-25927

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM viewer state API (e.g. upload or state save/load) accepts a document ID (`doc_id`) without verifying that the document belongs to the current user’s authorized patient or encounter. An authenticated user can read or modify DICOM viewer state (e.g. annotations, view settings) for any document by enumerating document IDs. Version 8.0.0 fixes the issue.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openemr/openemr/security/advisories/GHSA-qj9f-x7v2-hrr7	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-25 19:43

Updated : 2026-02-27 14:40

NVD link : CVE-2026-25927

Mitre link : CVE-2026-25927

CVE.ORG link : CVE-2026-25927

JSON object : View

Products Affected

open-emr

openemr

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-25927", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2026-02-25T19:43:22.757", "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-qj9f-x7v2-hrr7", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM viewer state API (e.g. upload or state save/load) accepts a document ID (`doc_id`) without verifying that the document belongs to the current user\u2019s authorized patient or encounter. An authenticated user can read or modify DICOM viewer state (e.g. annotations, view settings) for any document by enumerating document IDs. Version 8.0.0 fixes the issue."}, {"lang": "es", "value": "OpenEMR es una aplicaci\u00f3n de c\u00f3digo abierto y gratuita para la gesti\u00f3n de registros m\u00e9dicos electr\u00f3nicos y consultorios m\u00e9dicos. Antes de la versi\u00f3n 8.0.0, la API de estado del visor DICOM (por ejemplo, carga o guardar/cargar estado) acepta un ID de documento ('doc_id') sin verificar que el documento pertenezca al paciente o encuentro autorizado del usuario actual. Un usuario autenticado puede leer o modificar el estado del visor DICOM (por ejemplo, anotaciones, configuraciones de vista) para cualquier documento al enumerar los ID de documento. La versi\u00f3n 8.0.0 corrige el problema."}], "lastModified": "2026-02-27T14:40:46.690", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FEAA9896-A42E-437C-BEE8-8DA955E34385", "versionEndExcluding": "8.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}