Cyber Resilience

CVE-2026-25135

Medium

Published: 25 February 2026

Published
25 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 4.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0016 36.8th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25135 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Open-Emr Openemr. Its CVSS base score is 4.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 have an information disclosure vulnerability that leaks the entire contact information for all users, organizations, and patients in the system to…

more

anyone who has the system/(Group,Patient,*).$export operation and system/Location.read capabilities. This vulnerability will impact OpenEMR versions since 2023. This disclosure will only occur in extremely high trust environments as it requires using a confidential client with secure key exchange that requires an administrator to enable and grant permission before the app can even be used. This will typically only occur in server-server communication across trusted clients that already have established legal agreements. Version 8.0.0 contains a patch. As a workaround, disable clients that have the vulnerable scopes and only allow clients that do not have the system/Location.read scope until a fix has been deployed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

Info disclosure vuln directly enables collection of user/patient data from the EHR system (T1005) and its underlying database repository (T1213.006).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

Affected Assets

open-emr
openemr
≤ 8.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200

Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.

addresses: CWE-200

Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.

addresses: CWE-200

Prevents unauthorized exposure of sensitive information by prohibiting untrusted external systems from processing or storing it.

addresses: CWE-200

By enforcing authorization matching prior to sharing, the control reduces the risk of exposing sensitive information to unauthorized actors.

addresses: CWE-200

Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors.

addresses: CWE-200

Data mining protection mechanisms detect and block unauthorized bulk extraction of sensitive data, directly mitigating exposure to unauthorized actors.

addresses: CWE-200

Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information.

addresses: CWE-200

Retaining and monitoring training records confirms personnel have completed privacy and security awareness training on handling sensitive data, reducing the chance of unauthorized exposure due to lack of knowledge.

References