Plattform
php
Komponente
openemr
Behoben in
8.0.1
CVE-2026-24908 is a critical SQL injection vulnerability affecting OpenEMR versions prior to 8.0.0. An attacker can exploit this flaw to execute arbitrary SQL queries through the Patient REST API endpoint, potentially gaining unauthorized access to sensitive data. This vulnerability impacts OpenEMR installations running versions 8.0.0 and earlier, and a patch is available in version 8.0.0.
An attacker exploiting this SQL injection vulnerability could gain unauthorized access to the OpenEMR database. Successful exploitation could lead to the exposure of Protected Health Information (PHI), including patient records, medical history, and personal details. Furthermore, an attacker might be able to compromise user credentials, potentially gaining administrative access to the system. The potential for data breaches and regulatory non-compliance makes this a high-impact vulnerability. The ability to execute arbitrary SQL queries provides a broad attack surface, allowing for data exfiltration, modification, or even complete database takeover.
CVE-2026-24908 was publicly disclosed on 2026-02-25. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's criticality (CVSS 10) and the potential for PHI exposure suggest a medium probability of exploitation. It is not currently listed on CISA KEV.
Healthcare providers and organizations utilizing OpenEMR, particularly those relying on the Patient REST API for data access and integration, are at significant risk. Shared hosting environments where multiple OpenEMR instances reside on the same server are also vulnerable, as a compromise of one instance could potentially impact others.
• linux / server:
journalctl -u openemr | grep -i "SQL injection"• generic web:
curl -I 'https://<openemr_host>/api/patient?_sort='; # Check for unusual response headers or errors• database (mysql):
mysql -u <openemr_user> -p -e "SHOW TABLES LIKE 'patient%';"disclosure
patch
Exploit-Status
EPSS
0.00% (0% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-24908 is to upgrade OpenEMR to version 8.0.0 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing temporary workarounds such as restricting API access to authorized users only and carefully reviewing and validating all user inputs. Web application firewalls (WAFs) configured to detect and block SQL injection attempts can also provide an additional layer of defense. Monitor OpenEMR logs for suspicious SQL queries and unusual database activity.
Aktualisieren Sie OpenEMR auf Version 8.0.0 oder höher. Diese Version behebt die SQL Injection-Schwachstelle in der Patienten-API. Das Update verhindert die Ausführung beliebiger SQL-Abfragen und die mögliche Offenlegung sensibler Informationen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-24908 is a critical SQL injection vulnerability in OpenEMR versions prior to 8.0.0, allowing attackers to execute SQL queries through the Patient REST API.
You are affected if you are running OpenEMR versions 8.0.0 or earlier and have not yet upgraded.
Upgrade OpenEMR to version 8.0.0 or later to remediate the vulnerability. Consider temporary workarounds if immediate upgrading is not possible.
While no public exploitation is confirmed, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation.
Refer to the official OpenEMR security advisory for detailed information and updates: [https://openemr.org/security/](https://openemr.org/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.