CVE-2026-25929

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the document controller’s `patient_picture` context serves the patient’s photo by document ID or patient ID without verifying that the current user is authorized to access that patient. An authenticated user with document ACL can supply another patient’s ID and retrieve their photo. Version 8.0.0 fixes the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openemr/openemr/commit/fc4d00ecb63561dacd23cb1fed49c64bd1a83258	Patch
https://github.com/openemr/openemr/security/advisories/GHSA-778w-r8rm-8qhq	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-25 19:43

Updated : 2026-02-27 14:39

NVD link : CVE-2026-25929

Mitre link : CVE-2026-25929

CVE.ORG link : CVE-2026-25929

JSON object : View

Products Affected

open-emr

openemr

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-25929", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-02-25T19:43:22.930", "references": [{"url": "https://github.com/openemr/openemr/commit/fc4d00ecb63561dacd23cb1fed49c64bd1a83258", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-778w-r8rm-8qhq", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the document controller\u2019s `patient_picture` context serves the patient\u2019s photo by document ID or patient ID without verifying that the current user is authorized to access that patient. An authenticated user with document ACL can supply another patient\u2019s ID and retrieve their photo. Version 8.0.0 fixes the issue."}, {"lang": "es", "value": "OpenEMR es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto para registros de salud electr\u00f3nicos y gesti\u00f3n de consultorios m\u00e9dicos. Antes de la versi\u00f3n 8.0.0, el contexto 'patient_picture' del controlador de documentos sirve la foto del paciente por ID de documento o ID de paciente sin verificar que el usuario actual est\u00e9 autorizado para acceder a ese paciente. Un usuario autenticado con ACL de documento puede proporcionar el ID de otro paciente y recuperar su foto. La versi\u00f3n 8.0.0 soluciona el problema."}], "lastModified": "2026-02-27T14:39:26.450", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FEAA9896-A42E-437C-BEE8-8DA955E34385", "versionEndExcluding": "8.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}