CVE-2026-25927
Published: 25 February 2026
Summary
CVE-2026-25927 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Deeper analysis
CVE-2026-25927 is an authorization bypass vulnerability (CWE-639) in OpenEMR, a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM viewer state API endpoints, such as those for uploading or saving/loading viewer states, accept a document ID (doc_id) parameter without verifying that the document belongs to the current user's authorized patient or encounter. This flaw has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact.
An authenticated user with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By enumerating document IDs, the attacker can read or modify DICOM viewer states—including annotations and view settings—for any document, potentially accessing or altering sensitive medical imaging data outside their authorized scope.
The official GitHub Security Advisory (GHSA-qj9f-x7v2-hrr7) confirms that upgrading to OpenEMR version 8.0.0 resolves the issue by implementing proper document ownership verification in the affected API.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8715
Vulnerability details
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM viewer state API (e.g. upload or state save/load) accepts a document ID (`doc_id`) without verifying that the document belongs…
more
to the current user’s authorized patient or encounter. An authenticated user can read or modify DICOM viewer state (e.g. annotations, view settings) for any document by enumerating document IDs. Version 8.0.0 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass (IDOR) in web API directly enables exploitation of the application for unauthorized access to database records (DICOM states and medical data).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks to ensure the supplied doc_id belongs to the authenticated user's authorized patient or encounter before allowing DICOM state read/write.
Requires the system to base access decisions on verified ownership attributes rather than blindly accepting an unvalidated document identifier.
Enforces information-flow rules that would block unauthorized cross-patient or cross-encounter access to DICOM viewer state objects.