38 Vulnerabilities Found in OpenEMR Medical Software

Summary

Security firm Aisle identified 39 vulnerabilities in OpenEMR, an open-source electronic medical records system used by over 100,000 healthcare providers worldwide storing data on 200+ million patients. Of the 38 CVE-assigned flaws, the most severe are SQL injection bugs (CVE-2026-24908, CVE-2026-23627) and an authorization bypass (CVE-2026-24487) that could allow authenticated attackers to compromise databases, exfiltrate patient data, and execute remote code. All vulnerabilities have been patched in coordination with OpenEMR developers.

Full text

Dozens of vulnerabilities, including critical issues that can be exploited to steal sensitive patient information, were discovered recently in the open source electronic medical records platform OpenEMR. OpenEMR, which is used worldwide by over 100,000 healthcare providers to store data on more than 200 million patients, was analyzed by the application security firm Aisle. The company’s autonomous analyzer identified 39 issues, of which 38 have been assigned CVE identifiers. The research was conducted as part of a partnership between OpenEMR developers and Aisle, and all the vulnerabilities have been patched. The majority of the security holes were due to missing or incorrect authorization. The remaining vulnerabilities were described as XSS, SQL injection, path traversal, and session expiration issues. “In the most severe cases, SQL injection vulnerabilities combined with modest database privileges could have led to full database compromise, PHI exfiltration at scale, and remote code execution on the server,” Aisle said. The security firm highlighted three vulnerabilities that can be exploited to access or alter patient data. Two of them are critical SQL injection bugs tracked as CVE-2026-24908 and CVE-2026-23627, which can allow any authenticated attacker to compromise a database, exfiltrate data, steal credentials, and execute arbitrary code. Advertisement. Scroll to continue reading. Another flaw exposing patient data is CVE-2026-24487, described as an authorization bypass issue. The complete list of OpenEMR CVEs is available in a blog post from Aisle. Critical OpenEMR vulnerabilities that expose patient information are regularly discovered by researchers. CVEdetails has cataloged more than 200 vulnerabilities discovered over the past decade. However, there do not appear to be any public reports confirming in-the-wild exploitation of OpenEMR vulnerabilities. This may be due to many OpenEMR deployments being firewalled or kept up to date, and healthcare organizations more commonly being hit via broader vectors rather than application-specific flaws. Related: Medtronic Hack Confirmed After ShinyHunters Threatens Data Leak Related: Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000 Related: Data Breach at Tennessee Hospital Affects 337,000 Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Electric Motorcycles and Scooters Face Hacking Risks to Security and Rider SafetyMedtronic Hack Confirmed After ShinyHunters Threatens Data LeakMalicious AI Prompt Injection Attacks Increasing, but Sophistication Still Low: GoogleEnergy and Water Management Firm Itron HackedFirefox Vulnerability Allows Tor User FingerprintingLocked Shields 2026: 41 Nations Strengthen Cyber Resilience in World’s Biggest ExerciseVulnerabilities Patched in CrowdStrike, Tenable ProductsChinese Cybersecurity Firm’s AI Hacking Claims Draw Comparisons to Claude Mythos Latest News Chrome 147, Firefox 150 Security Updates Rolling OutCritical GitHub Vulnerability Exposed Millions of RepositoriesCyber Insurance Data Gives CISOs New Ammo for Budget TalksVimeo Confirms User and Customer Data BreachThe Mythos Moment: Enterprises Must Fight Agents with AgentsWebinar Today: A Step-by-Step Approach to AI GovernanceRobinhood Vulnerability Exploited for Phishing AttacksAlleged Chinese State Hacker Extradited to US Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveCato Networks has appointed Meital Koren as Chief Legal Officer.Neill Feather has been named Chief Executive Officer at Point Wild.Oasis Security has appointed Michael DeCesare as President.More People On The MoveExpert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-24908
• cve — CVE-2026-23627
• cve — CVE-2026-24487

Entities