← volver
CVE-2026-25927

OpenEMR Missing Authorization Checks in DICOM Viewer State API

CVSS 7.1 HIGHEPSS 0.2%CWE-639
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 7.1EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
25 feb 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM viewer state API (e.g. upload or state save/load) accepts a document ID (`doc_id`) without verifying that the document belongs to the current user’s authorized patient or encounter. An authenticated user can read or modify DICOM viewer state (e.g. annotations, view settings) for any document by enumerating document IDs. Version 8.0.0 fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Productos afectados
openemr · openemr

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/openemr/openemr/security/advisories/GHSA-qj9f-x7v2-hrr7