CVE-2026-25929
📋 TL;DR
This vulnerability in OpenEMR allows authenticated users with document access control to bypass authorization checks and view other patients' photos by manipulating patient or document IDs. It affects all OpenEMR installations prior to version 8.0.0 where users have document ACL permissions.
💻 Affected Systems
- OpenEMR
📦 What is this software?
Openemr by Open Emr
⚠️ Risk & Real-World Impact
Worst Case
Healthcare privacy breach where sensitive patient photos are exposed to unauthorized personnel, potentially violating HIPAA and other privacy regulations.
Likely Case
Unauthorized access to patient photos by healthcare staff who shouldn't have access, leading to privacy violations and potential disciplinary actions.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized users from reaching the vulnerable endpoint.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of patient/document IDs, which could be obtained through other means or enumeration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.0
Vendor Advisory: https://github.com/openemr/openemr/security/advisories/GHSA-778w-r8rm-8qhq
Restart Required: Yes
Instructions:
1. Backup your OpenEMR installation and database. 2. Download OpenEMR 8.0.0 or later from the official repository. 3. Follow the OpenEMR upgrade documentation for your specific version path. 4. Verify the fix by testing patient photo access controls.
🔧 Temporary Workarounds
Restrict Document Controller Access
allImplement network-level restrictions to limit access to the document controller endpoints to only authorized users or systems.
Temporary Code Modification
allAdd authorization checks to the patient_picture context in the document controller before serving patient photos.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OpenEMR from unauthorized users
- Enhance monitoring and logging of document controller access patterns
🔍 How to Verify
Check if Vulnerable:
Test if authenticated users can access patient photos by modifying patient ID parameters in document controller requests.Check Version:
Check OpenEMR version in the application interface or via the database: SELECT * FROM versionVerify Fix Applied:
After upgrading to 8.0.0+, verify that unauthorized patient photo access attempts return proper authorization errors.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts for patient photo access
- Unusual patterns of document controller requests with different patient IDs
Network Indicators:
- HTTP requests to document controller endpoints with manipulated patient ID parameters
SIEM Query:
source="openemr_logs" AND (uri_path="/interface/document/document.php" OR uri_path LIKE "%/document/%") AND (param="patient" OR param="doc_id") AND status=200