CVE-2026-25927 - Vulnerability Analysis
HighCVSS: 7.1Last Updated: February 27, 2026
OpenEMR - Broken Access Control
Published: February 25, 2026Updated: February 27, 2026PoC AvailableRemote Exploitable
Overview
OpenEMR < 8.0.0 contains a broken access control vulnerability caused by lack of verification of document ownership in the DICOM viewer state API, letting authenticated users read or modify any document's viewer state by enumerating document IDs.
Severity & Score
Severity: High
CVSS Score: 7.1
Impact
Authenticated users can read or modify DICOM viewer state for any document, potentially exposing or altering sensitive medical data.
Mitigation
Update to version 8.0.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-25927
- Severity
- High
- CVSS Score
- 7.1
- Type
- broken_access_control
- Status
- confirmed
CWE
- CWE-639
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N