CVE-2025-54373 HIGH

CVE-2025-54373: OpenEMR may expose Contents of Clinical Notes and Care Planto users who do not have Sensitivities=high privilege

Vendor Openemr
Product openemr
Weakness CWE-200 · Info exposure
Published January 27, 2026
Last update January 28, 2026
View on NVD All CVEs

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a vulnerability where sensitive data is unintentionally revealed to unauthorized parties. Contents of Clinical Notes and Care Plan, where an encounter has Sensitivity=high, can be viewed and changed by users who do not have Sensitivities=high privilege. Version 7.0.4 fixes the issue.

Key dates

02Disclosure timeline

January 27, 2026 CVE published
January 28, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-41914 Non-constant-time SCIM token comparison in Zulip Server CVE-2018-0442 Cisco Wireless LAN Controller Software Control and Provisioning of Wireless Access Points Protocol Information Disclosure Vulnerability CVE-2025-12147 Unauthorized access to fields protected by Field-Level Security (FLS) when those fields are members of an object CVE-2025-68110 ChurchCRM discloses database information on error message CVE-2026-7382 Information Disclosure in MeWare Software's PDKS