Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.7
OpenEMR FHIR CareTeam data exposed to unauthorized users
CVE-2026-24487
Summary
Prior to version 8.0.0 of OpenEMR, a software glitch allowed unauthorized access to sensitive patient and provider information. This could potentially lead to the disclosure of confidential health records. Users should update to version 8.0.0 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| open-emr | openemr | <= 8.0.0 | – |
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the FHIR CareTeam resource ...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the FHIR CareTeam resource endpoint allows patient-scoped FHIR tokens to access care team data for all patients instead of being restricted to only the authenticated patient's data. This could potentially lead to unauthorized disclosure of Protected Health Information (PHI), including patient-provider relationships and care team structures across the entire system. The issue occurs because the `FhirCareTeamService` does not implement the `IPatientCompartmentResourceService` interface and does not pass the patient binding parameter to the underlying service, bypassing the patient compartment filtering mechanism. Version 8.0.0 contains a patch for this issue.
nvd CVSS3.1
6.5
nvd CVSS4.0
5.7
Vulnerability type
CWE-200
Information Exposure
CWE-863
Incorrect Authorization
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026