HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

38 Vulnerabilities Fixed in OpenEMR, Including Two CVSS 10.0 Zero‑Days

LiveThreat™ Intelligence · 📅 April 28, 2026· 📰 databreachtoday.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
HIGH
🏢
Affected
3 sector(s)
Actions
5 recommended
📰
Source
databreachtoday.com

38 Vulnerabilities Fixed in OpenEMR, Including Two CVSS 10.0 Zero‑Days

What It Is

Researchers at Aisle used AI‑driven analysis to uncover 38 security flaws in OpenEMR, an open‑source electronic medical record (EMR) system deployed by roughly 100 000 healthcare providers worldwide. The flaws span missing authorization, cross‑site scripting, SQL injection, and two maximum‑severity (CVSS 10.0) zero‑day bugs that could enable full database compromise and remote code execution. All issues have been patched in OpenEMR 8.0 released February 2026.

Exploitability

The two CVSS 10.0 bugs (CVE‑2026‑24898 and CVE‑2026‑24908) were zero‑days with unauthenticated exploitation paths. No public exploits were observed, but the vulnerabilities were theoretically exploitable before the patch. The remaining 36 issues vary from critical to medium severity; many required authentication or specific API calls.

Affected Products

  • OpenEMR 8.0 (open‑source EMR platform)
  • All prior OpenEMR versions prior to the February 2026 patch

TPRM Impact

  • Healthcare providers, clinics, and hospitals that rely on OpenEMR for patient records.
  • Third‑party vendors that host, manage, or integrate OpenEMR (e.g., SaaS EMR providers, health‑IT consultants).
  • Supply‑chain risk: a breach in an OpenEMR instance could expose PHI of thousands of patients, triggering HIPAA violations and downstream liability for partners.

Recommended Actions

  • Verify that your OpenEMR installation is version 8.0 or later; apply the February 2026 security patch immediately.
  • Conduct a rapid inventory of all OpenEMR instances across your organization and any third‑party service providers.
  • Review API exposure; restrict internet‑facing endpoints and enforce authentication on MedEx recall/reminder and Patient REST APIs.
  • Perform a targeted penetration test focusing on the previously vulnerable endpoints to confirm remediation.
  • Update third‑party risk questionnaires to include OpenEMR version compliance and patch status.

Source: DataBreachToday – Researchers Find 38 Flaws in OpenEMR. They've Been Fixed

📰 Original Source
https://www.databreachtoday.com/researchers-find-38-flaws-in-openemr-theyve-been-fixed-a-31520

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →