Cyber Resilience

CVE-2026-25146

CriticalPublic PoC

Published: 03 March 2026

Published
03 March 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0044 35.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25146 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Open-Emr Openemr. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25146 is a high-severity vulnerability in OpenEMR, a free and open source electronic health records and medical practice management application. Affecting versions from 5.0.2 up to but not including 8.0.0, the issue involves at least two code paths that render the gateway_api_key secret value in plaintext to the client. Classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N), highlighting its critical potential impact.

A low-privileged remote attacker (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation leaks the gateway_api_key, enabling arbitrary money movement or broad account takeover of connected payment gateway APIs, with high confidentiality and integrity impacts due to the changed scope.

The vulnerability is addressed in OpenEMR 8.0.0 via commit fe6341496dc82d5b4f5a3f35891bb2e2481f3b25, as documented in the GitHub security advisory GHSA-2hq8-wc73-jvvq. Affected paths include interface/patient_file/front_payment.php (line 765) and portal/portal_payment.php (line 537). Practitioners should upgrade to version 8.0.0 or later to mitigate exposure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret value is rendered to the client in plaintext. These secret…

more

keys being leaked could result in arbitrary money movement or broad account takeover of payment gateway APIs. This vulnerability is fixed in 8.0.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vuln in public-facing OpenEMR web app enables remote exploitation (T1190) by low-priv users to disclose gateway API keys; directly facilitates unsecured credential exposure (T1552) leading to external payment account abuse.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33914Same product: Open-Emr Openemr
CVE-2013-10044Same product: Open-Emr Openemr
CVE-2026-25164Same product: Open-Emr Openemr
CVE-2026-24848Same product: Open-Emr Openemr
CVE-2026-32127Same product: Open-Emr Openemr
CVE-2026-34053Same product: Open-Emr Openemr
CVE-2025-29789Same product: Open-Emr Openemr
CVE-2026-33910Same product: Open-Emr Openemr
CVE-2026-24908Same product: Open-Emr Openemr
CVE-2026-24890Same product: Open-Emr Openemr

Affected Assets

open-emr
openemr
5.0.2 — 8.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation of the specific code flaw that renders the gateway_api_key in plaintext, via upgrade to OpenEMR 8.0.0.

prevent

Prevents exposure of sensitive information like the gateway_api_key by filtering outputs sent to clients in affected paths such as front_payment.php and portal_payment.php.

detect

Monitors for unauthorized disclosure of sensitive secrets like the gateway_api_key to low-privileged clients, enabling detection of exploitation attempts.

References