CVE-2026-25131
Published: 25 February 2026
Summary
CVE-2026-25131 is a high-severity Missing Authorization (CWE-862) vulnerability in Open-Emr Openemr. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to the order types management endpoint, directly preventing low-privilege users from adding or modifying procedure types.
Applies least privilege to restrict Receptionist and other low-privilege roles from performing unauthorized modifications to procedure types.
Requires explicit authorization decisions for system resources like the types_edit.php endpoint based on user roles, mitigating the broken access control vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control (CWE-862) in the web-accessible order types endpoint directly enables low-priv authenticated users to perform unauthorized modifications to critical data, mapping to exploitation for privilege escalation (T1068), exploitation of a public-facing application (T1190), and stored data manipulation (T1565.001).
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in the OpenEMR order types management system, allowing low-privilege users (such as Receptionist) to add…
more
and modify procedure types without proper authorization. This vulnerability is present in the /openemr/interface/orders/types_edit.php endpoint. Version 8.0.0 contains a patch.
Deeper analysisAI
CVE-2026-25131 is a Broken Access Control vulnerability (CWE-862) affecting OpenEMR, a free and open source electronic health records and medical practice management application. The issue exists prior to version 8.0.0 in the order types management system, specifically at the /openemr/interface/orders/types_edit.php endpoint, where low-privilege users can add and modify procedure types without proper authorization. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and potential for high impacts on confidentiality, integrity, and availability.
An authenticated attacker with low privileges, such as a Receptionist role, can exploit this vulnerability over the network without user interaction. By accessing the vulnerable endpoint, they can unauthorizedly create or alter procedure types, potentially enabling manipulation of medical orders, billing structures, or other critical practice management data within the OpenEMR instance.
The official patch is included in OpenEMR version 8.0.0, as detailed in the GitHub security advisory (GHSA-6h2m-4ppf-ph4j) and the fixing commit (1e63cbab34558bca029533f87cdb6efb1ff32c75). Security practitioners should prioritize upgrading to version 8.0.0 or later to mitigate the issue.
Details
- CWE(s)