CVE-2026-25146

CriticalPublic PoC

Published: 03 March 2026

Published

03 March 2026

Modified

04 March 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.0003 7.7th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25146 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Open-Emr Openemr. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely remediation of the specific code flaw that renders the gateway_api_key in plaintext, via upgrade to OpenEMR 8.0.0.

SI-15 Information Output Filtering good match

prevent

Prevents exposure of sensitive information like the gateway_api_key by filtering outputs sent to clients in affected paths such as front_payment.php and portal_payment.php.

AU-13 Monitoring for Information Disclosure partial match

detect

Monitors for unauthorized disclosure of sensitive secrets like the gateway_api_key to low-privileged clients, enabling detection of exploitation attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Vuln in public-facing OpenEMR web app enables remote exploitation (T1190) by low-priv users to disclose gateway API keys; directly facilitates unsecured credential exposure (T1552) leading to external payment account abuse.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret value is rendered to the client in plaintext. These secret…

keys being leaked could result in arbitrary money movement or broad account takeover of payment gateway APIs. This vulnerability is fixed in 8.0.0.

Deeper analysisAI

CVE-2026-25146 is a high-severity vulnerability in OpenEMR, a free and open source electronic health records and medical practice management application. Affecting versions from 5.0.2 up to but not including 8.0.0, the issue involves at least two code paths that render the gateway_api_key secret value in plaintext to the client. Classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N), highlighting its critical potential impact.

A low-privileged remote attacker (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation leaks the gateway_api_key, enabling arbitrary money movement or broad account takeover of connected payment gateway APIs, with high confidentiality and integrity impacts due to the changed scope.

The vulnerability is addressed in OpenEMR 8.0.0 via commit fe6341496dc82d5b4f5a3f35891bb2e2481f3b25, as documented in the GitHub security advisory GHSA-2hq8-wc73-jvvq. Affected paths include interface/patient_file/front_payment.php (line 765) and portal/portal_payment.php (line 537). Practitioners should upgrade to version 8.0.0 or later to mitigate exposure.

Details

CWE(s): CWE-200

Affected Products

open-emr

openemr

5.0.2 — 8.0.0

CVEs Like This One

CVE-2026-25164Same product: Open-Emr Openemr

CVE-2026-33914Same product: Open-Emr Openemr

CVE-2026-25147Same product: Open-Emr Openemr

CVE-2026-32127Same product: Open-Emr Openemr

CVE-2026-24898Same product: Open-Emr Openemr

CVE-2025-29789Same product: Open-Emr Openemr

CVE-2026-32238Same product: Open-Emr Openemr

CVE-2026-33910Same product: Open-Emr Openemr

CVE-2026-32126Same product: Open-Emr Openemr

CVE-2026-24908Same product: Open-Emr Openemr

References

https://github.com/openemr/openemr/blob/6a4e18c5ec73e0c755f6f65b28a9652aded1a58b/interface/patient_file/front_payment.php#L765
Product · security-advisories@github.com
https://github.com/openemr/openemr/blob/6a4e18c5ec73e0c755f6f65b28a9652aded1a58b/portal/portal_payment.php#L537
Product · security-advisories@github.com
https://github.com/openemr/openemr/commit/fe6341496dc82d5b4f5a3f35891bb2e2481f3b25
Patch · security-advisories@github.com
https://github.com/openemr/openemr/security/advisories/GHSA-2hq8-wc73-jvvq
Exploit, Vendor Advisory · security-advisories@github.com