CVE-2026-25127 HIGH

CVE-2026-25127: OpenEMR has Broken Access Control on Care Coordination Module

Vendor Openemr

Product openemr

Weakness CWE-863 · Incorrect authorization

Published February 25, 2026

Last update February 25, 2026

View on NVD All CVEs

CVSS base score

7.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

01Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the server does not properly validate user permission. Unauthorized users can view the information of authorized users. Version 8.0.0 fixes the issue.

Key dates

02Disclosure timeline

February 25, 2026 CVE published

February 25, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-25127

Related vulnerabilities

04Related CVE

CVE-2024-47616 Pomerium's service account access token may grant unintended access to databroker API CVE-2025-10908 Account Lock Bypass via Magic Link or Pass Key Authentication in WSO2 Identity Server Allows Unauthorized Access CVE-2025-58052 Galette has groups managers access control bypass on Members CVE-2023-2640 CVE-2024-7604 Logsign Unified SecOps Platform Incorrect Authorization Authentication Bypass Vulnerability