CVE-2026-24487 MEDIUM

CVE-2026-24487: OpenEMR has FHIR Patient Compartment Bypass in CareTeam Resource

Vendor Openemr
Product openemr
Weakness CWE-200 · Info exposure
Published February 25, 2026
Last update February 26, 2026
View on NVD All CVEs

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the FHIR CareTeam resource endpoint allows patient-scoped FHIR tokens to access care team data for all patients instead of being restricted to only the authenticated patient's data. This could potentially lead to unauthorized disclosure of Protected Health Information (PHI), including patient-provider relationships and care team structures across the entire system. The issue occurs because the `FhirCareTeamService` does not implement the `IPatientCompartmentResourceService` interface and does not pass the patient binding parameter to the underlying service, bypassing the patient compartment filtering mechanism. Version 8.0.0 contains a patch for this issue.

Key dates

02Disclosure timeline

February 25, 2026 CVE published
February 26, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-32710 Information Disclosure via the ‘copyresults’ SPL Command CVE-2026-4823 Enter Software Iperius Backup NTLM2 information disclosure CVE-2025-23387 Rancher's SAML-based login via CLI can be denied by unauthenticated users CVE-2025-2786 Tempo-operator: serviceaccount token exposure leading to token and subject access reviews in openshift tempo operator CVE-2023-0901 Exposure of Sensitive Information to an Unauthorized Actor in pixelfed/pixelfed