CVE-2025-46823 Overview
CVE-2025-46823 affects openmrs-module-fhir2, the module that provides the FHIR REST API and related services for OpenMRS, an open source medical records system. Versions of the FHIR2 module prior to 2.5.0 do not always perform correct privilege checks on incoming requests. Unauthorized users can add or edit patient and clinical data they should not be permitted to modify. The flaw is categorized as Missing Authorization [CWE-862] and is exploitable over the network without authentication or user interaction. Implementers running affected versions should upgrade to FHIR2 2.5.0 or later.
Critical Impact
Network-accessible attackers can write or modify medical records through the FHIR REST API without holding the required OpenMRS privileges, threatening the confidentiality and integrity of clinical data.
Affected Products
- OpenMRS openmrs-module-fhir2 versions prior to 2.5.0
- OpenMRS deployments exposing the FHIR REST API provided by the FHIR2 module
- Downstream OpenMRS distributions bundling the vulnerable FHIR2 module
Discovery Timeline
- 2025-05-29 - CVE-2025-46823 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-46823
Vulnerability Analysis
The FHIR2 module exposes resources such as Patient, Encounter, Observation, and related FHIR endpoints under the OpenMRS REST API. OpenMRS enforces fine-grained privileges on each clinical operation, and the FHIR2 module is responsible for translating FHIR requests into authorized OpenMRS service calls. In versions before 2.5.0, several code paths within the module do not consistently invoke the privilege check before performing create or update operations. The result is broken access control where authorization decisions are skipped for specific FHIR resources or HTTP methods. The vulnerability is exploitable remotely, and successful exploitation impacts data confidentiality and integrity in electronic health records.
Root Cause
The root cause is missing or inconsistent authorization enforcement [CWE-862] in handler logic for FHIR resource operations. The module relies on the caller's session context but does not re-validate that the authenticated principal holds the OpenMRS privilege required for the underlying clinical action. Refer to the GitHub Security Advisory GHSA-g5vq-w8v2-4x9j for the authoritative description of affected code paths.
Attack Vector
An attacker reaches the vulnerable endpoints over the network by sending crafted FHIR HTTP requests to the OpenMRS FHIR2 API. Depending on the affected endpoint, the request can create or modify resources that the caller is not authorized to change. No specialized tooling is required beyond a standard HTTP client capable of issuing FHIR-compliant payloads. Detailed technical specifics are intentionally limited in the upstream advisory to reduce exposure; see the openmrs-module-fhir2 2.5.0 release notes for the corresponding fixes.
Detection Methods for CVE-2025-46823
Indicators of Compromise
- Unexpected POST, PUT, or PATCH requests to /ws/fhir2/ endpoints from accounts that lack the corresponding OpenMRS clinical privileges.
- Audit log entries showing resource creation or modification without a preceding privilege-check log message from the FHIR2 module.
- Discrepancies between OpenMRS user roles and the volume or type of FHIR write operations attributed to those users.
Detection Strategies
- Compare FHIR2 access logs against the OpenMRS role and privilege matrix to flag writes performed by under-privileged accounts.
- Alert on anonymous or low-privilege sessions that successfully issue create or update calls to FHIR resources such as Patient, Encounter, or Observation.
- Track the deployed version of openmrs-module-fhir2 across environments and flag any instance below 2.5.0.
Monitoring Recommendations
- Forward OpenMRS application and FHIR2 module logs to a centralized logging or SIEM platform for correlation with identity events.
- Enable HTTP request and response logging at the reverse proxy in front of OpenMRS to retain full FHIR payloads for forensic review.
- Monitor changes to clinical records via OpenMRS audit modules and review them against expected clinical workflows.
How to Mitigate CVE-2025-46823
Immediate Actions Required
- Upgrade openmrs-module-fhir2 to version 2.5.0 or later on every OpenMRS instance.
- Restrict network access to the /ws/fhir2/ API to trusted clients using firewall rules, VPN, or reverse proxy allow-lists until patching is complete.
- Review recent FHIR2 write activity for unauthorized record changes and reconcile against clinical sources of truth.
Patch Information
The maintainers released the fix in openmrs-module-fhir2 2.5.0. Patch artifacts and release notes are published on the openmrs-module-fhir2 2.5.0 release page. The corresponding coordinated disclosure is tracked in GitHub Security Advisory GHSA-g5vq-w8v2-4x9j. All implementers should plan the upgrade as soon as feasible.
Workarounds
- Disable or block the FHIR2 module endpoints at the web tier if upgrading immediately is not possible.
- Require authenticated and authorized service accounts at the reverse proxy layer before requests reach the OpenMRS FHIR API.
- Reduce privileges granted to OpenMRS user roles to the minimum required, limiting the blast radius if authorization is bypassed.
# Example reverse proxy rule to restrict FHIR2 API to internal CIDR only
location /ws/fhir2/ {
allow 10.0.0.0/8;
deny all;
proxy_pass http://openmrs-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
