Thirty-eight vulnerabilities, including two maximum-severity CVSS 10.0 zero-days, were discovered in OpenEMR — and have been patched, researchers at security firm Aisle reported.
Aisle's AI-driven analysis and scope of the findings
Three Aisle researchers said they found the flaws during the first months of this year using an artificial intelligence–driven analysis. The team reported 38 total vulnerabilities across the open-source electronic medical record platform, which Aisle noted is used by about 100,000 healthcare providers worldwide. Aisle grouped the issues into defined categories and published details that led to fixes in the upstream project.
The two CVSS 10.0 zero-days: CVE-2026-24898 and CVE-2026-24908
Aisle flagged two maximum-severity, CVSS 10.0 zero-day vulnerabilities that, if exploited, could result in full database compromise, large-scale data exfiltration, and remote code execution on the server. The first, CVE-2026-24898, is an unauthenticated patient identity disclosure flaw that Aisle characterized as exploitable against any internet-reachable OpenEMR instance without credentials.
Aisle explained the mechanism in concrete terms: "Because the MedEx recall/reminder callback endpoint sets $ignoreAuth = true, any unauthenticated visitor can POST to the MedEx recall/reminder endpoint and receive the medical practice's API tokens in the JSON response," the researchers said. With those tokens, malicious actors could gain access to full patient identity and contact details as well as appointment metadata.
The second maximum-severity issue, CVE-2026-24908, is an SQL injection vulnerability in OpenEMR's Patient REST API. Aisle described the root cause as a common REST pattern gone wrong: "the _sort query parameter lets clients choose an ordering for returned results," but the values passed to _sort "were concatenated directly into SQL ORDER BY clauses with no validation, no whitelisting of allowed sort fields, and no identifier escaping."
Other grouped issues: authorization, XSS, SQLi, path traversal, sessions
Beyond the two CVSS 10.0 entries, Aisle cataloged a range of vulnerabilities from critical to medium severity. The firm grouped 25 flaws involving missing or incorrect authorization, nine cross-site scripting (XSS) vulnerabilities, and five additional problems that included SQL injection, path traversal, and session-handling flaws. Taken together, the categories highlight multiple dimensions where unauthenticated or improperly authorized requests could expose sensitive electronic health record data.
OpenEMR 8.0, certification, and the patch response
Aisle reported that the latest version of OpenEMR, version 8.0, was released in February and has U.S. government certification as an electronic health record platform. Following the disclosure of the vulnerabilities, the OpenEMR project issued patches addressing the problems Aisle identified. The researchers’ public disclosures and technical descriptions explain both the impact and the specific code paths where fixes were applied.
What this means for healthcare providers, open-source maintainers, and security teams
- Healthcare providers: Organizations using OpenEMR — noted by Aisle to number about 100,000 globally — will need to ensure they have applied the upstream patches to address the disclosed zero-days and related flaws. The most acute risk described by Aisle is an unauthenticated disclosure of API tokens and patient identity data via the MedEx callback endpoint.
- Open-source maintainers: The findings underscore how a mix of REST patterns (for example, an open _sort parameter) and configuration defaults (for example, $ignoreAuth set true on a callback endpoint) can combine to create high-severity exposures. Maintainership will require both targeted fixes and ongoing review of default endpoint behaviors.
- Security teams: For security operations, the immediate priorities are verifying that deployed instances have been updated and auditing access to any API tokens that might previously have been exposed. The specific exploit paths Aisle described — unauthenticated POSTs returning API tokens and unsanitized values inserted into ORDER BY clauses — give security teams concrete indicators to check in configuration and logs.
OpenEMR users and administrators have received patched code from the project; Aisle’s disclosures give a clear map of the worst vulnerabilities and how they worked. The essential next step — applying those upstream fixes and confirming that internet-reachable instances are protected — remains the practical measure called for by the facts in this report.
Original story: https://www.govinfosecurity.com/researchers-find-38-flaws-in-openemr-theyve-been-fixed-a-31520




