Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
OpenEMR Leaks Secrets, Exposing Payment Gateway Access
CVE-2026-25146
Summary
OpenEMR, a free electronic health records system, exposes sensitive payment gateway keys, putting medical practices at risk of unauthorized financial transactions and account takeovers. This issue is resolved in version 8.0.0. To protect your practice, update to the latest version of OpenEMR.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| open-emr | openemr | > 5.0.2 , <= 8.0.0 | – |
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret ...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret value is rendered to the client in plaintext. These secret keys being leaked could result in arbitrary money movement or broad account takeover of payment gateway APIs. This vulnerability is fixed in 8.0.0.
nvd CVSS3.1
8.1
Vulnerability type
CWE-200
Information Exposure
- https://github.com/openemr/openemr/blob/6a4e18c5ec73e0c755f6f65b28a9652aded1a58b... Product
- https://github.com/openemr/openemr/blob/6a4e18c5ec73e0c755f6f65b28a9652aded1a58b... Product
- https://github.com/openemr/openemr/commit/fe6341496dc82d5b4f5a3f35891bb2e2481f3b... Patch
- https://github.com/openemr/openemr/security/advisories/GHSA-2hq8-wc73-jvvq Exploit Vendor Advisory
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026