Dozens of vulnerabilities, together with crucial points that may be exploited to steal delicate affected person info, had been found not too long ago within the open supply digital medical data platform OpenEMR.
OpenEMR, which is used worldwide by over 100,000 healthcare suppliers to retailer information on greater than 200 million sufferers, was analyzed by the appliance security agency Aisle. The corporate’s autonomous analyzer recognized 39 points, of which 38 have been assigned CVE identifiers.
The analysis was performed as a part of a partnership between OpenEMR builders and Aisle, and all of the vulnerabilities have been patched.
Nearly all of the security holes had been on account of lacking or incorrect authorization. The remaining vulnerabilities had been described as XSS, SQL injection, path traversal, and session expiration points.
“In essentially the most extreme instances, SQL injection vulnerabilities mixed with modest database privileges may have led to full database compromise, PHI exfiltration at scale, and distant code execution on the server,” Aisle stated.
The security agency highlighted three vulnerabilities that may be exploited to entry or alter affected person information. Two of them are crucial SQL injection bugs tracked as CVE-2026-24908 and CVE-2026-23627, which might enable any authenticated attacker to compromise a database, exfiltrate information, steal credentials, and execute arbitrary code.
One other flaw exposing affected person information is CVE-2026-24487, described as an authorization bypass subject.
The entire record of OpenEMR CVEs is out there in a weblog publish from Aisle.
Crucial OpenEMR vulnerabilities that expose affected person info are commonly found by researchers.
CVEdetails has cataloged greater than 200 vulnerabilities found over the previous decade. Nonetheless, there don’t seem like any public experiences confirming in-the-wild exploitation of OpenEMR vulnerabilities.
This can be on account of many OpenEMR deployments being firewalled or saved updated, and healthcare organizations extra generally being hit through broader vectors reasonably than application-specific flaws.
