Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
OpenEMR: HTTPS connections to healthcare APIs are vulnerable to interception
CVE-2025-67752
Summary
A software bug in OpenEMR made it possible for hackers to intercept sensitive medical information being sent over the internet. This information could have been accessed by unauthorized parties if it was being transmitted to government healthcare APIs or external services. Upgrading to version 7.0.4 or later fixes this issue, so it's recommended to do so to protect sensitive medical information.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| open-emr | openemr | <= 7.0.4 | – |
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, OpenEMR's HTTP client wrapper (`oeHttp`/`oeHttpRequest`) disables SS...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, OpenEMR's HTTP client wrapper (`oeHttp`/`oeHttpRequest`) disables SSL/TLS certificate verification by default (`verify: false`), making all external HTTPS connections vulnerable to man-in-the-middle (MITM) attacks. This affects communication with government healthcare APIs and user-configurable external services, potentially exposing Protected Health Information (PHI). Version 7.0.4 fixes the issue.
nvd CVSS3.1
8.1
Vulnerability type
CWE-295
Improper Certificate Validation
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026