OpenEMR DICOM Viewer State API Allows Unauthorized Access

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.1

OpenEMR DICOM Viewer State API Allows Unauthorized Access

CVE-2026-25927

Summary

A user with legitimate access to OpenEMR can access and modify medical records they shouldn't be able to. This is a concern because it could allow unauthorized people to view or change sensitive patient information. Update to version 8.0.0 to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
open-emr	openemr	<= 8.0.0	–

Original title

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM viewer state API (e.g. upload or state save/load) accepts...

Original description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM viewer state API (e.g. upload or state save/load) accepts a document ID (`doc_id`) without verifying that the document belongs to the current user’s authorized patient or encounter. An authenticated user can read or modify DICOM viewer state (e.g. annotations, view settings) for any document by enumerating document IDs. Version 8.0.0 fixes the issue.

nvd CVSS3.1 7.1

Vulnerability type

CWE-639 Authorization Bypass Through User-Controlled Key

https://github.com/openemr/openemr/security/advisories/GHSA-qj9f-x7v2-hrr7 Exploit Vendor Advisory

Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026