Platform
php
Component
openemr
Fixed in
8.0.1
CVE-2026-24908 is a critical SQL injection vulnerability affecting OpenEMR versions prior to 8.0.0. An attacker can exploit this flaw to execute arbitrary SQL queries through the Patient REST API endpoint, potentially gaining unauthorized access to sensitive data. This vulnerability impacts OpenEMR installations running versions 8.0.0 and earlier, and a patch is available in version 8.0.0.
The SQL injection vulnerability in OpenEMR allows authenticated users with API access to bypass security controls and directly manipulate the database. An attacker could leverage this to extract Protected Health Information (PHI), including patient records, medical history, and billing details. Furthermore, successful exploitation could lead to credential compromise, allowing the attacker to gain persistent access to the OpenEMR system and potentially escalate privileges. The potential for data breaches and regulatory non-compliance makes this a high-impact vulnerability, particularly given the sensitive nature of healthcare data.
CVE-2026-24908 was publicly disclosed on 2026-02-25. The vulnerability's severity and potential impact suggest a medium probability of exploitation. While no public proof-of-concept (PoC) code has been released as of this writing, the ease of exploitation inherent in SQL injection vulnerabilities increases the likelihood of exploitation attempts. Monitor OpenEMR logs for suspicious SQL queries.
Exploit Status
EPSS
0.00% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24908 is to upgrade OpenEMR to version 8.0.0 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing temporary workarounds such as restricting API access to authorized users only and carefully validating all user-supplied input. Web Application Firewalls (WAFs) configured to detect and block SQL injection attempts can also provide an additional layer of defense. After upgrading, confirm the fix by attempting to inject a simple SQL query through the Patient REST API endpoint and verifying that it is properly sanitized.
Update OpenEMR to version 8.0.0 or higher. This version corrects the SQL injection vulnerability in the patient API. The update will prevent the execution of arbitrary SQL queries and potential exposure of sensitive information.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24908 is a critical SQL injection vulnerability in OpenEMR versions prior to 8.0.0, allowing attackers to execute SQL queries through the Patient REST API.
You are affected if you are running OpenEMR versions 8.0.0 or earlier and have not yet upgraded.
Upgrade OpenEMR to version 8.0.0 or later to remediate the vulnerability. Consider temporary workarounds if immediate upgrading is not possible.
While no public exploitation is confirmed, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation.
Refer to the official OpenEMR security advisory for detailed information and updates: [https://openemr.org/security/](https://openemr.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.