Cyber Resilience

CVE-2026-25927

HighPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0013 32.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25927 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2026-25927 is an authorization bypass vulnerability (CWE-639) in OpenEMR, a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM viewer state API endpoints, such as those for uploading or saving/loading viewer states, accept a document ID (doc_id) parameter without verifying that the document belongs to the current user's authorized patient or encounter. This flaw has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact.

An authenticated user with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By enumerating document IDs, the attacker can read or modify DICOM viewer states—including annotations and view settings—for any document, potentially accessing or altering sensitive medical imaging data outside their authorized scope.

The official GitHub Security Advisory (GHSA-qj9f-x7v2-hrr7) confirms that upgrading to OpenEMR version 8.0.0 resolves the issue by implementing proper document ownership verification in the affected API.

EU & UK References

Vulnerability details

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM viewer state API (e.g. upload or state save/load) accepts a document ID (`doc_id`) without verifying that the document belongs…

more

to the current user’s authorized patient or encounter. An authenticated user can read or modify DICOM viewer state (e.g. annotations, view settings) for any document by enumerating document IDs. Version 8.0.0 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Authorization bypass (IDOR) in web API directly enables exploitation of the application for unauthorized access to database records (DICOM states and medical data).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25147Same product: Open-Emr Openemr
CVE-2026-34055Same product: Open-Emr Openemr
CVE-2026-32126Same product: Open-Emr Openemr
CVE-2026-32127Same product: Open-Emr Openemr
CVE-2026-23627Same product: Open-Emr Openemr
CVE-2026-24908Same product: Open-Emr Openemr
CVE-2026-33910Same product: Open-Emr Openemr
CVE-2026-32123Same product: Open-Emr Openemr
CVE-2026-25131Same product: Open-Emr Openemr
CVE-2026-25746Same product: Open-Emr Openemr

Affected Assets

open-emr
openemr
≤ 8.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks to ensure the supplied doc_id belongs to the authenticated user's authorized patient or encounter before allowing DICOM state read/write.

prevent

Requires the system to base access decisions on verified ownership attributes rather than blindly accepting an unvalidated document identifier.

prevent

Enforces information-flow rules that would block unauthorized cross-patient or cross-encounter access to DICOM viewer state objects.

References