CVE-2026-24487
Published: 25 February 2026
Summary
CVE-2026-24487 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Open-Emr Openemr. Its CVSS base score is 5.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8701
Vulnerability details
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the FHIR CareTeam resource endpoint allows patient-scoped FHIR tokens to access care team data for all…
more
patients instead of being restricted to only the authenticated patient's data. This could potentially lead to unauthorized disclosure of Protected Health Information (PHI), including patient-provider relationships and care team structures across the entire system. The issue occurs because the `FhirCareTeamService` does not implement the `IPatientCompartmentResourceService` interface and does not pass the patient binding parameter to the underlying service, bypassing the patient compartment filtering mechanism. Version 8.0.0 contains a patch for this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing FHIR API endpoint directly enables exploitation of a public-facing application (T1190) to access unauthorized sensitive data.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
Ensures authorization decisions for external system use are correctly implemented and enforced.
It assists users in evaluating and applying correct authorization decisions when sharing information with external partners.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Drives review and correction of flawed authorization logic applied to organizational data.
Annual reviews and proposal scrutiny detect and block matching programs that would expose sensitive data to unauthorized recipients or systems.
Restricts processing strictly to documented authorized uses, mitigating incorrect authorization decisions for sensitive data.
Addresses incorrect authorization by requiring independent verification of results and an opportunity to contest before any adverse action is taken.