{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25744", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T16:48:00.428Z", "datePublished": "2026-03-19T19:25:56.474Z", "dateUpdated": "2026-03-19T20:32:14.407Z"}, "containers": {"cna": {"title": "OpenEMR: POST /api/.../vital Accepts Attacker-Supplied id and Overwrites Arbitrary Vitals", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-mv9m-j65p-g55f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-mv9m-j65p-g55f"}, {"name": "https://github.com/openemr/openemr/commit/c3a47c37619cdb4f0aaa168e39a93ab1d106429c", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/c3a47c37619cdb4f0aaa168e39a93ab1d106429c"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T19:25:56.474Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the encounter vitals API accepts an `id` in the request body and treats it as an UPDATE. There is no verification that the vital belongs to the current patient or encounter. An authenticated user with encounters/notes permission can overwrite any patient's vitals by supplying another patient's vital `id`, leading to medical record tampering. Version 8.0.0.2 fixes the issue."}], "source": {"advisory": "GHSA-mv9m-j65p-g55f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T20:31:59.417207Z", "id": "CVE-2026-25744", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T20:32:14.407Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25744", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T20:31:59.417207Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T20:32:08.406Z"}}], "cna": {"title": "OpenEMR: POST /api/.../vital Accepts Attacker-Supplied id and Overwrites Arbitrary Vitals", "source": {"advisory": "GHSA-mv9m-j65p-g55f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"status": "affected", "version": "< 8.0.0.2"}]}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-mv9m-j65p-g55f", "name": "https://github.com/openemr/openemr/security/advisories/GHSA-mv9m-j65p-g55f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openemr/openemr/commit/c3a47c37619cdb4f0aaa168e39a93ab1d106429c", "name": "https://github.com/openemr/openemr/commit/c3a47c37619cdb4f0aaa168e39a93ab1d106429c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the encounter vitals API accepts an `id` in the request body and treats it as an UPDATE. There is no verification that the vital belongs to the current patient or encounter. An authenticated user with encounters/notes permission can overwrite any patient's vitals by supplying another patient's vital `id`, leading to medical record tampering. Version 8.0.0.2 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T19:25:56.474Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25744", "state": "PUBLISHED", "dateUpdated": "2026-03-19T20:32:14.407Z", "dateReserved": "2026-02-05T16:48:00.428Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T19:25:56.474Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "C78F19AD-BD18-4F61-8B1C-DD099DBC6D34", "versionEndExcluding": "8.0.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the encounter vitals API accepts an `id` in the request body and treats it as an UPDATE. There is no verification that the vital belongs to the current patient or encounter. An authenticated user with encounters/notes permission can overwrite any patient's vitals by supplying another patient's vital `id`, leading to medical record tampering. Version 8.0.0.2 fixes the issue."}], "id": "CVE-2026-25744", "lastModified": "2026-03-20T17:19:12.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T20:16:13.480", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/c3a47c37619cdb4f0aaa168e39a93ab1d106429c"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-mv9m-j65p-g55f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-20T18:24:08.892485+00:00", "value": {"mitigation_remediation": ["Apply the OpenEMR security update to version 8.0.0.2 or later", "If an immediate update is not possible, remove the encounters/notes permission from all non\u2011administrative users or enforce a role\u2011based policy that restricts overwrite capability", "Audit audit logs for unexpected vital record updates and investigate any anomalies", "Verify that the deployed version matches the patched release and that the API no longer accepts arbitrary ids"], "summary": {"action": "Immediate Patch", "impact": "Medical Record Tampering"}, "threat_synthesis": {"affected_systems": "The flaw exists in the OpenEMR application for all releases before version 8.0.0.2. The vendor, OpenEMR, released a fix in release 8.0.0.2 that removes the unchecked update path. Any environment running OpenEMR older than 8.0.0.2 and where users possess encounters/notes permissions is potentially affected.", "description_and_impact": "The OpenEMR encounter vitals API accepts an \"id\" value in a POST request and treats it as an UPDATE operation without verifying that the vital record belongs to the current patient or encounter. An authenticated user who has permission to manage encounters or notes can supply the id of another patient's vital record, causing that record to be overwritten. This permits active tampering of medical data, undermining the integrity of health records and potentially leading to incorrect clinical decisions. The weakness corresponds to CWE\u2011639, a form of untrusted data manipulation that can yield logical errors and data corruption.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity potential, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a valid user account with the appropriate permissions, and the attack is performed over the web interface, so it is a remote, authenticated request. The impact is confined to the data of the victim\u2019s records but can be significant within a care setting. Monitoring of unusual overwrite attempts and limiting permission sets can reduce the exploitation window."}}}}, "created": "2026-03-20T08:56:30.026609+00:00", "updated": "2026-03-25T11:55:14.695384+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}