CVE-2025-46823 HIGH

CVE-2025-46823: OpenMRS has Vulnerability in FHIR2 Module Privileges

Vendor Openmrs
Product openmrs-module-fhir2
Weakness CWE-862 · Missing authorization
Published May 29, 2025
Last update May 29, 2025

CVSS base score

8.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

openmrs-module-fhir2 provides the FHIR REST API and related services for OpenMRS, an open medical records system. In versions of the FHIR2 module prior to 2.5.0, privileges were not always correctly checked, which means that unauthorized users may have been able to add or edit data they were not supposed to be able to. All implementers should update to FHIR2 2.5.0 or newer as soon as is feasible to receive a patch.

Key dates

02Disclosure timeline

May 29, 2025 CVE published
May 29, 2025 Record updated