CVE-2026-25927
Published: 25 February 2026
Summary
CVE-2026-25927 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass (IDOR) in web API directly enables exploitation of the application for unauthorized access to database records (DICOM states and medical data).
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM viewer state API (e.g. upload or state save/load) accepts a document ID (`doc_id`) without verifying that the document belongs…
more
to the current user’s authorized patient or encounter. An authenticated user can read or modify DICOM viewer state (e.g. annotations, view settings) for any document by enumerating document IDs. Version 8.0.0 fixes the issue.
Deeper analysisAI
CVE-2026-25927 is an authorization bypass vulnerability (CWE-639) in OpenEMR, a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM viewer state API endpoints, such as those for uploading or saving/loading viewer states, accept a document ID (doc_id) parameter without verifying that the document belongs to the current user's authorized patient or encounter. This flaw has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact.
An authenticated user with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By enumerating document IDs, the attacker can read or modify DICOM viewer states—including annotations and view settings—for any document, potentially accessing or altering sensitive medical imaging data outside their authorized scope.
The official GitHub Security Advisory (GHSA-qj9f-x7v2-hrr7) confirms that upgrading to OpenEMR version 8.0.0 resolves the issue by implementing proper document ownership verification in the affected API.
Details
- CWE(s)