What is the CVSS score of CVE-2026-25927?

CVE-2026-25927 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.1%.

Which versions of Openemr are affected by CVE-2026-25927?

OpenEMR installations up to version 8.0.0 contain an authorization bypass vulnerability that allows attackers to access patient data and system functions without proper authentication.

Is there a public PoC exploit available for CVE-2026-25927?

Yes, a public proof-of-concept exploit is available for CVE-2026-25927. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-25927?

Within 24 hours: Inventory all OpenEMR deployments and versions; disable internet-facing access or restrict to VPN only; enable logging and monitoring for unauthorized access attempts. Within 7 days: Implement network segmentation isolating OpenEMR from critical systems; conduct access logs review for suspicious activity; contact vendor for patch timeline and workarounds. Within 30 days: Apply vendor patch immediately upon release; perform full security audit of affected systems; notify affected patients and legal if breach is confirmed.

Openemr CVE-2026-25927

HIGH

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-02-25 security-advisories@github.com

Authentication Bypass Openemr

7.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 27, 2026 - 14:40 vuln.today

Public exploit code

CVE Published

Feb 25, 2026 - 19:43 nvd

HIGH 7.1

DescriptionGitHub Advisory

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM viewer state API (e.g. upload or state save/load) accepts a document ID (doc_id) without verifying that the document belongs to the current user’s authorized patient or encounter. An authenticated user can read or modify DICOM viewer state (e.g. annotations, view settings) for any document by enumerating document IDs. Version 8.0.0 fixes the issue.

AnalysisAI

Openemr versions up to 8.0.0 is affected by authorization bypass through user-controlled key (CVSS 7.1).

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as any OpenEMR user

Delivery

Enumerate document IDs

Exploit

Request DICOM viewer state API with unauthorized doc_id

Execution

Access or modify DICOM annotations and settings

Impact

Read sensitive medical imaging data