Cyber Resilience

CVE-2026-25164

HighPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0026 17.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25164 is a high-severity Missing Authorization (CWE-862) vulnerability in Open-Emr Openemr. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AU-13 (Monitoring for Information Disclosure).

Deeper analysis

CVE-2026-25164 is a missing authorization vulnerability (CWE-862) in OpenEMR, a free and open-source electronic health records and medical practice management application. In versions prior to 8.0.0, the REST API route table defined in `apis/routes/_rest_routes_standard.inc.php` fails to invoke `RestConfig::request_authorization_check()` for document and insurance routes. While other patient-related routes, such as encounters and patients/med, properly enforce OpenEMR access control lists (ACLs), this omission allows any valid API bearer token to bypass ACL restrictions and access or modify documents and insurance data across all patients, exposing protected health information (PHI).

The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with low attack complexity. Exploitation requires low privileges—an attacker needs only a valid bearer token from any authenticated API client. Over networks, they can remotely read or alter every patient's documents and insurance details without user interaction, potentially leading to unauthorized PHI disclosure or manipulation in healthcare environments.

OpenEMR version 8.0.0 addresses the issue by adding the missing authorization check to the affected routes. Security practitioners should upgrade to this version immediately. Relevant advisories and patch details are available in the GitHub security advisory (GHSA-f64c-h2gh-g3f9) and the fixing commit (c5e1c44774156cd0d04f4e08ed6a81fe76d38e92).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in `apis/routes/_rest_routes_standard.inc.php` does not call `RestConfig::request_authorization_check()` for the document and insurance routes. Other patient routes in…

more

the same file (e.g. encounters, patients/med) call it with the appropriate ACL. As a result, any valid API bearer token can access or modify every patient's documents and insurance data, regardless of the token’s OpenEMR ACLs—effectively exposing all document and insurance PHI to any authenticated API client. Version 8.0.0 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization in OpenEMR REST API enables exploitation of a public-facing web application to bypass ACLs, allowing low-privileged authenticated attackers to remotely access and modify sensitive patient documents and insurance data.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34053Same product: Open-Emr Openemr
CVE-2026-32126Same product: Open-Emr Openemr
CVE-2026-25131Same product: Open-Emr Openemr
CVE-2026-33918Same product: Open-Emr Openemr
CVE-2026-33914Same product: Open-Emr Openemr
CVE-2026-24848Same product: Open-Emr Openemr
CVE-2026-32127Same product: Open-Emr Openemr
CVE-2026-25146Same product: Open-Emr Openemr
CVE-2025-29789Same product: Open-Emr Openemr
CVE-2026-33910Same product: Open-Emr Openemr

Affected Assets

open-emr
openemr
≤ 8.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to patient documents and insurance data via API routes, directly preventing bypass of ACLs by valid bearer tokens.

prevent

Establishes and enforces configuration settings for REST API routes to invoke authorization checks like RestConfig::request_authorization_check().

detect

Monitors system components for unauthorized disclosure of PHI through document and insurance API routes lacking authorization enforcement.

References