CVE-2026-29187
Published: 25 March 2026
Summary
CVE-2026-29187 is a high-severity SQL Injection (CWE-89) vulnerability in Open-Emr Openemr. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked at the 0.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the blind SQL injection vulnerability by requiring timely remediation through application of the OpenEMR 8.0.0.3 patch.
Prevents SQL injection attacks by implementing input validation mechanisms that sanitize or reject manipulated HTTP parameter keys in the Patient Search functionality.
Restricts HTTP parameter keys to an approved allowlist, blocking unauthorized manipulation that enables arbitrary SQL command execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Post-auth SQL injection directly enables arbitrary database queries for extraction (T1213.006) and content modification (T1565.001) in the OpenEMR application.
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a Blind SQL Injection vulnerability exists in the Patient Search functionality (/interface/new/new_search_popup.php). The vulnerability allows an authenticated attacker to execute arbitrary…
more
SQL commands by manipulating the HTTP parameter keys rather than the values. Version 8.0.0.3 contains a patch.
Deeper analysisAI
CVE-2026-29187 is a Blind SQL Injection vulnerability (CWE-89) affecting OpenEMR, a free and open source electronic health records and medical practice management application. The issue resides in the Patient Search functionality at /interface/new/new_search_popup.php in versions prior to 8.0.0.3. It enables attackers to execute arbitrary SQL commands by manipulating HTTP parameter keys rather than values, earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows extraction of sensitive data or modification of database contents, resulting in high impacts to confidentiality and integrity, though availability remains unaffected.
Mitigation is addressed in OpenEMR version 8.0.0.3, which includes a patch as detailed in the project's GitHub security advisory (GHSA-2r7h-xm8v-m872), release notes, and the specific commit c61887aa7c83e83b3282db05246f1c00de3aa21d. Security practitioners should upgrade to this version promptly to remediate the vulnerability.
Details
- CWE(s)