Aisle security researchers have disclosed 38 vulnerabilities in OpenEMR — the open-source electronic medical records (EMR) and practice management system deployed at over 100,000 healthcare providers worldwide, including hospitals, clinics, and individual practices across more than 40 countries. The vulnerabilities range in severity from low-impact information disclosure to three critical flaws that enable unauthenticated remote code execution and unrestricted access to patient health records.
OpenEMR 7.0.2 patch 2 resolves all 38 reported issues. Healthcare organisations running OpenEMR should apply the update immediately.
The Three Critical Vulnerabilities
CVE-2026-24908 — Unauthenticated SQL Injection An SQL injection vulnerability in OpenEMR’s patient portal login interface allows an unauthenticated attacker to execute arbitrary SQL queries against the OpenEMR database. A successful attack exposes the complete patient database including: patient demographics, medical history, diagnosis and medication records, insurance information, and provider notes. The SQL injection can also be used to extract administrative credentials from the OpenEMR user table, enabling escalation to full administrative access.
CVE-2026-23627 — Authenticated File Upload to Code Execution A file upload vulnerability in OpenEMR’s document management system allows a low-privilege authenticated user (including patient portal users with patient-level access) to upload a PHP file that executes as a web shell on the server. The upload validation checks can be bypassed through a crafted multipart upload, resulting in arbitrary code execution under the web server’s process permissions.
CVE-2026-24487 — Patient Portal Authentication Bypass A logic flaw in the OpenEMR patient portal session management allows an attacker to access another patient’s portal session using only the target patient’s numeric patient ID — which is sequential and enumerable. The session fixation enables reading and downloading the targeted patient’s medical records, appointments, and provider communications without authentication.
Deployment Context
OpenEMR’s deployment profile amplifies the severity of these vulnerabilities:
- Self-hosted installations: A significant portion of OpenEMR deployments are self-hosted by small practices with limited IT resources, meaning patch management cadence is often poor and internet-accessible deployment is common for telemedicine and patient portal access
- Patient portal accessibility: The patient portal — the attack surface for CVE-2026-24908 and CVE-2026-24487 — is designed to be internet-accessible, providing unauthenticated attackers with direct access to the vulnerable interfaces
- Regulatory obligations: Patient health data is among the most heavily regulated data categories globally. In the United States, HIPAA breach notifications are required within 60 days of discovery; in the EU, GDPR requires notification within 72 hours
Regulatory Exposure
For healthcare providers, a breach of OpenEMR patient data via these vulnerabilities carries significant regulatory consequences:
HIPAA (United States): Healthcare providers and their business associates must notify affected patients, the HHS Office for Civil Rights, and (for breaches affecting 500 or more individuals in a state) local media within 60 days of discovery. HIPAA penalties for unpatched vulnerabilities causing breach range from $100 to $50,000 per violation category per year.
GDPR (European Union and UK): Healthcare data is special category data under GDPR Article 9. Breaches require notification to the supervisory authority within 72 hours and to affected data subjects without undue delay. Fines can reach 4% of global annual turnover or €20 million, whichever is greater.
Remediation
Update OpenEMR to version 7.0.2 patch 2. The patch is available from the OpenEMR GitHub releases page and the official OpenEMR download site. For shared hosting environments running OpenEMR, contact your hosting provider about update procedures.
For organisations that cannot update immediately: restrict internet access to the OpenEMR patient portal and disable patient portal functionality until patching is complete. An unauthenticated SQL injection against an internet-accessible EMR represents unacceptable risk during the window before patching.
Share this article