{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25131", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T14:03:42.540Z", "datePublished": "2026-02-25T01:55:43.778Z", "dateUpdated": "2026-02-25T20:34:41.500Z"}, "containers": {"cna": {"title": "OpenEMR has Broken Access Control in Procedures Configuration", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-6h2m-4ppf-ph4j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-6h2m-4ppf-ph4j"}, {"name": "https://github.com/openemr/openemr/commit/1e63cbab34558bca029533f87cdb6efb1ff32c75", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/1e63cbab34558bca029533f87cdb6efb1ff32c75"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T01:55:43.778Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in the OpenEMR order types management system, allowing low-privilege users (such as Receptionist) to add and modify procedure types without proper authorization. This vulnerability is present in the /openemr/interface/orders/types_edit.php endpoint. Version 8.0.0 contains a patch."}], "source": {"advisory": "GHSA-6h2m-4ppf-ph4j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T20:30:13.965960Z", "id": "CVE-2026-25131", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T20:34:41.500Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "FEAA9896-A42E-437C-BEE8-8DA955E34385", "versionEndExcluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in the OpenEMR order types management system, allowing low-privilege users (such as Receptionist) to add and modify procedure types without proper authorization. This vulnerability is present in the /openemr/interface/orders/types_edit.php endpoint. Version 8.0.0 contains a patch."}], "id": "CVE-2026-25131", "lastModified": "2026-02-25T16:56:00.153", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-25T02:16:22.967", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/1e63cbab34558bca029533f87cdb6efb1ff32c75"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-6h2m-4ppf-ph4j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-04-18T17:43:10.431809+00:00", "value": {"mitigation_remediation": ["Upgrade OpenEMR to version 8.0.0 or later, which contains the definitive fix for the broken access control.", "Revoke or restrict the Receptionist role from the ability to edit procedure types until an upgrade is possible.", "Conduct regular security scanning of the web application to detect unauthorized changes to procedure type configuration."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized modification of procedure types in OpenEMR"}, "threat_synthesis": {"affected_systems": "Vulnerable versions are all releases of OpenEMR prior to 8.0.0. The affected product is OpenEMR, an open\u2011source electronic health records system.", "description_and_impact": "OpenEMR\u2019s order types management module contains a broken access control flaw that allows users with low\u2011privilege roles, such as Receptionist, to add or edit procedure types via the /openemr/interface/orders/types_edit.php endpoint. This unauthorized modification undermines the intended control over procedure catalog entries.", "risk_and_exploitability": "The CVSS score of 8.8 signals a high\u2011severity issue, while an EPSS score of less than 1\u202fpercent indicates a low probability of widespread exploitation. The flaw is not listed in the CISA KEV catalog. Exploitation is possible via the web interface by any logged\u2011in user with a low\u2011privilege role; no elevated permissions or remote code execution are required."}}}}, "created": "2026-02-25T11:35:09.802333+00:00", "updated": "2026-04-18T17:45:06.065021+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}