Overview
- Application security firm Aisle reported 39 issues in the open-source electronic medical records system, with 38 assigned CVEs and patches issued by OpenEMR.
- Two critical SQL injection bugs, CVE-2026-24908 and CVE-2026-23627, could let any logged-in user take over the database, pull sensitive data, steal passwords, and run code on the server.
- An authorization bypass, CVE-2026-24487, could let an attacker view or change patient information without proper checks.
- Most problems stemmed from missing or incorrect permission checks, with other flaws including cross-site scripting, path traversal, and sessions that did not expire as they should.
- OpenEMR serves over 100,000 providers and holds records on more than 200 million patients, yet researchers report no confirmed in-the-wild attacks on these bugs, which they link to firewalling and timely updates.