Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
OpenEMR: Low-privilege users can modify order types without permission
CVE-2026-25131
Summary
Prior to version 8.0.0 of OpenEMR, unauthorized users could change order types. This means a Receptionist without proper clearance could alter how medical procedures are ordered or recorded in the system. Upgrade to OpenEMR version 8.0.0 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| open-emr | openemr | <= 8.0.0 | – |
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in the OpenEMR order ty...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in the OpenEMR order types management system, allowing low-privilege users (such as Receptionist) to add and modify procedure types without proper authorization. This vulnerability is present in the /openemr/interface/orders/types_edit.php endpoint. Version 8.0.0 contains a patch.
nvd CVSS3.1
8.8
Vulnerability type
CWE-862
Missing Authorization
- https://github.com/openemr/openemr/commit/1e63cbab34558bca029533f87cdb6efb1ff32c... Patch
- https://github.com/openemr/openemr/security/advisories/GHSA-6h2m-4ppf-ph4j Exploit Mitigation Vendor Advisory
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026