CVE-2026-25146 - Vulnerability Analysis
CriticalCVSS: 9.6Last Updated: March 3, 2026
OpenEMR - Information Disclosure
Published: March 3, 2026Updated: March 3, 2026Remote Exploitable
Overview
OpenEMR 5.0.2 to < 8.0.0 contains an information disclosure vulnerability caused by rendering gateway_api_key secret values in plaintext to clients, letting attackers perform arbitrary money movement or account takeover, exploit requires no special privileges.
Severity & Score
Severity: Critical
CVSS Score: 9.6
Impact
Attackers can steal secret keys, enabling arbitrary money movement or broad payment gateway account takeover.
Mitigation
Update to version 8.0.0 or later.
References
- https://github.com/openemr/openemr/blob/6a4e18c5ec73e0c755f6f65b28a9652aded1a58b/interface/patient_file/front_payment.php#L765
- https://github.com/openemr/openemr/blob/6a4e18c5ec73e0c755f6f65b28a9652aded1a58b/portal/portal_payment.php#L537
- https://github.com/openemr/openemr/commit/fe6341496dc82d5b4f5a3f35891bb2e2481f3b25
- https://github.com/openemr/openemr/security/advisories/GHSA-2hq8-wc73-jvvq
Related Resources
Details
- CVE ID
- CVE-2026-25146
- Severity
- Critical
- CVSS Score
- 9.6
- Type
- information_disclosure
- Status
- new
CWE
- CWE-200
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N