CVE-2026-24847
📋 TL;DR
OpenEMR versions before 8.0.0 contain an open redirect vulnerability in the Eye Exam form module that allows authenticated users to be redirected to arbitrary external URLs. This enables phishing attacks against healthcare providers using the system. Any OpenEMR installation with authenticated users is affected.
💻 Affected Systems
- OpenEMR
📦 What is this software?
Openemr by Open Emr
⚠️ Risk & Real-World Impact
Worst Case
Healthcare staff are redirected to malicious phishing sites that steal credentials or install malware, leading to complete system compromise and patient data exfiltration.
Likely Case
Attackers use the redirect for credential harvesting through convincing phishing pages targeting healthcare staff.
If Mitigated
With proper network segmentation and user awareness training, impact is limited to unsuccessful phishing attempts.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.0
Vendor Advisory: https://github.com/openemr/openemr/security/advisories/GHSA-6f42-6q2r-fc2h
Restart Required: Yes
Instructions:
1. Backup your OpenEMR installation and database. 2. Download OpenEMR 8.0.0 or later from the official repository. 3. Replace the existing installation with the new version. 4. Run the upgrade script. 5. Restart the web server.
🔧 Temporary Workarounds
Disable Eye Exam Module
allTemporarily disable the vulnerable Eye Exam form module to prevent exploitation.
Navigate to Administration > Modules > Eye Exam and disable the module
Web Application Firewall Rule
allAdd WAF rules to block redirects to external domains from the Eye Exam form.
Add rule: Block requests with external URLs in redirect parameters from /interface/forms/eye_mag
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OpenEMR from internet access
- Enforce multi-factor authentication for all user accounts
🔍 How to Verify
Check if Vulnerable:
Check if OpenEMR version is below 8.0.0 and if the Eye Exam module is enabled.Check Version:
Check the version in the OpenEMR interface under Administration > Version or view /sites/default/sqlconf.phpVerify Fix Applied:
After upgrading to 8.0.0+, verify that redirects from the Eye Exam form only go to allowed internal URLs.📡 Detection & Monitoring
Log Indicators:
- HTTP 302 redirect responses from /interface/forms/eye_mag to external domains
- Multiple failed login attempts followed by successful authentication and redirect
Network Indicators:
- Outbound connections to suspicious domains following Eye Exam form submissions
- Unusual redirect patterns in HTTP traffic
SIEM Query:
source="openemr_logs" AND (url_path="/interface/forms/eye_mag" AND status=302 AND destination_domain NOT IN (allowed_domains))