CVE-2026-25746
📋 TL;DR
OpenEMR versions before 8.0.0 contain a SQL injection vulnerability in the prescription listing functionality that allows authenticated attackers to execute arbitrary SQL commands. This could lead to unauthorized data access, modification, or deletion of sensitive medical records. Healthcare organizations using vulnerable OpenEMR installations are affected.
💻 Affected Systems
- OpenEMR
📦 What is this software?
Openemr by Open Emr
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the database including theft, modification, or deletion of all patient health records, prescription data, and administrative credentials, potentially leading to data breach, medical fraud, or system disruption.
Likely Case
Unauthorized access to patient prescription data and personal health information, potentially enabling identity theft, medical fraud, or privacy violations.
If Mitigated
Limited impact due to proper input validation, parameterized queries, and database permission restrictions preventing successful exploitation.
🎯 Exploit Status
Exploit requires authenticated access but SQL injection is straightforward once authenticated. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.0
Vendor Advisory: https://github.com/openemr/openemr/releases/tag/v8_0_0
Restart Required: No
Instructions:
1. Backup your OpenEMR database and files. 2. Download OpenEMR 8.0.0 or later from the official repository. 3. Follow the upgrade instructions at https://www.open-emr.org/wiki/index.php/Upgrading_OpenEMR. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation for prescription-related parameters to block SQL injection attempts
# Add input validation in controller.php and related prescription files
# Example: if (!preg_match('/^[a-zA-Z0-9_\-\.]+$/', $input)) { die('Invalid input'); }
Web Application Firewall Rules
allDeploy WAF rules to detect and block SQL injection patterns in prescription-related requests
# ModSecurity rule example: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"
# Add to your WAF configuration
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OpenEMR systems and limit database access
- Enable detailed SQL query logging and monitor for suspicious database activity patterns
🔍 How to Verify
Check if Vulnerable:
Check OpenEMR version in interface footer or via 'SELECT * FROM version' database query. If version is below 8.0.0, system is vulnerable.Check Version:
SELECT * FROM version; OR check interface footer at /interface/login/login.phpVerify Fix Applied:
After upgrading to 8.0.0+, verify version displays correctly and test prescription functionality works without SQL errors.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by prescription access
- SQL syntax errors in application logs
Network Indicators:
- Unusual database connection patterns from application servers
- SQL keywords in HTTP POST parameters to prescription endpoints
SIEM Query:
source="apache_access" AND (uri="/interface/main/prescriptions*" OR uri="/controller.php*") AND (query="UNION" OR query="SELECT" OR query="INSERT" OR query="DELETE")🔗 References
- https://github.com/ChrisSub08/CVE-2026-25746_SqlInjectionVulnerabilityOpenEMR7.0.4
- https://github.com/openemr/openemr/blob/2b46e594b9dd665fb7f16c913ca07f5c6d54412b/library/classes/Controller.class.php#L77
- https://github.com/openemr/openemr/blob/9fa8db9f12d0b70985195b11b90f2dc564bd3b24/controller.php#L6
- https://github.com/openemr/openemr/blob/9fa8db9f12d0b70985195b11b90f2dc564bd3b24/controllers/C_Prescription.class.php#L180
- https://github.com/openemr/openemr/blob/9fa8db9f12d0b70985195b11b90f2dc564bd3b24/library/classes/Prescription.class.php#L1148
- https://github.com/openemr/openemr/commit/e230d3ef46425ffc96a37dc6369428aa37c88554
- https://github.com/openemr/openemr/security/advisories/GHSA-78r7-g65p-gpw3
