In a recent security assessment, researchers from the firm AISLE uncovered a total of 38 vulnerabilities within OpenEMR, an open-source electronic medical record software platform utilized by approximately 100,000 healthcare providers worldwide. The researchers emphasized that two of these identified issues are classified as maximum severity zero-day vulnerabilities.
Utilizing sophisticated artificial intelligence-driven analysis, the AISLE research team conducted their investigation early this year. OpenEMR, which has achieved certification from U.S. government standards for electronic health record systems, released its latest version, 8.0, in February. This recent update indicates the platform’s commitment to maintaining stringent security measures while serving a large number of healthcare professionals.
The most concerning vulnerabilities detected during this examination were ranked with a Common Vulnerability Scoring System (CVSS) score of 10.0, indicating their maximum severity. Exploitation of these vulnerabilities poses a grave risk, potentially leading to complete database compromise, extensive data exfiltration, and remote code execution on the servers where the software operates.
The first vulnerability, identified as CVE-2026-24898, pertains to an unauthenticated patient identity disclosure. This flaw is particularly alarming because it can be exploited by any entity with internet access to an OpenEMR instance, requiring no login credentials whatsoever. The researchers highlighted that this vulnerability stems from the configuration of the MedEx recall/reminder callback endpoint, which is erroneously set to allow unauthenticated access, thereby enabling any visitor to interact with it.
According to AISLE, this misconfiguration allows malicious actors to make POST requests to the MedEx recall/reminder endpoint and subsequently receive sensitive medical practice API tokens in the response. With access to these tokens, perpetrators could gain insights into crucial patient identity and contact information, along with appointment metadata, amplifying the potential harm.
The second major vulnerability, noted as CVE-2026-24908, was characterized as an SQL injection flaw. Found within OpenEMR’s Patient REST API, this issue arises from how the software handles the _sort query parameter, which is ordinarily used for ordering returned results — a standard practice in REST API design. However, the problematic implementation leads to a situation where values for _sort are combined directly into SQL ORDER BY clauses without proper validation, whitelisting, or identifier escaping, thus enabling potential SQL injection attacks.
In addition to these high-severity findings, the researchers compiled information on a variety of other vulnerabilities, categorizing them according to their severity levels. These included 25 vulnerabilities linked to missing or incorrect authorization, nine instances of cross-site scripting vulnerabilities, and five additional issues relating to SQL injections, path traversal, and session management flaws. Collectively, these vulnerabilities expose a roadmap of risks that could impact not only individual healthcare providers but also the overarching integrity of patient data across the platform.
The comprehensive disclosure of these vulnerabilities signals a significant focus within the healthcare sector on cybersecurity, particularly during a period when reliance on digital medical records is ever-increasing. As healthcare providers consider the implications of such findings, proactive measures to enhance security protocols alongside regular updates to software can serve as crucial strategies in mitigating potential risks in the future.