CVE-2025-67645 Overview
CVE-2025-67645 is a broken access control vulnerability in OpenEMR, a widely deployed open source electronic health records (EHR) and medical practice management application. The flaw resides in the Profile Edit endpoint and affects all versions prior to 7.0.4. An authenticated low-privilege user can tamper with the pubpid or pid request parameters to reference another user's record. The server accepts the modified identifiers without proper authorization checks and applies the submitted changes to the target user's profile. The vulnerability maps to [CWE-284: Improper Access Control].
Critical Impact
Authenticated attackers can modify arbitrary user profile data, including names and contact information, enabling profile tampering and potential account takeover within healthcare environments.
Affected Products
- OpenEMR versions prior to 7.0.4
- OpenEMR 7.0.3 (confirmed in CPE data)
- Deployments exposing the Profile Edit endpoint to authenticated users
Discovery Timeline
- 2026-01-28 - CVE-2025-67645 published to NVD
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2025-67645
Vulnerability Analysis
The vulnerability stems from missing object-level authorization in the Profile Edit endpoint. OpenEMR trusts client-supplied identifiers, specifically the pubpid and pid parameters submitted in profile update requests. The application uses these values to determine which record to modify but does not verify whether the authenticated session owns the referenced record. An authenticated normal user can therefore submit a profile edit request containing another user's pid and have the changes applied to that victim record. This pattern is commonly classified as Insecure Direct Object Reference (IDOR).
Because OpenEMR stores sensitive demographic and clinical contact data, unauthorized modification can disrupt patient care workflows, corrupt records, and facilitate account takeover by altering recovery contact details such as email addresses or phone numbers. The integrity, confidentiality, and availability impact extend across all user records reachable via the endpoint.
Root Cause
The Profile Edit handler relies on parameters submitted in the HTTP request to identify the record being edited rather than deriving the target record from the authenticated session context. No server-side ownership check enforces that the session user matches the record referenced by pid or pubpid. The fix in version 7.0.4, committed in e2a682ee71aac71a9f04ae566f4ffca10052bc4a, enforces proper authorization on the endpoint.
Attack Vector
Exploitation requires a valid authenticated session as any normal user. The attacker intercepts a legitimate profile update request, substitutes the pid or pubpid value with a target record identifier, and replays the request. The server applies the supplied field values to the victim record. No user interaction by the victim is required, and the attack is performed entirely over the network through the standard OpenEMR web interface.
No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-vjmv-cf46-gffv for vendor-published technical details.
Detection Methods for CVE-2025-67645
Indicators of Compromise
- Unexpected modifications to user or patient profile fields such as name, email, phone, or address without corresponding help desk activity.
- HTTP POST requests to the Profile Edit endpoint where the pid or pubpid parameter does not match the authenticated session user.
- Sudden changes in account recovery contact information followed by password reset attempts.
Detection Strategies
- Enable OpenEMR audit logging and correlate the acting user ID in session with the pid/pubpid value in each profile update request; mismatches indicate exploitation attempts.
- Deploy a web application firewall (WAF) rule that inspects Profile Edit submissions and flags requests where the supplied patient identifier differs from the session-bound identifier.
- Review database change logs on the patient_data and related user tables for unusual update frequency or off-hours modifications.
Monitoring Recommendations
- Forward OpenEMR access and audit logs to a centralized SIEM for retention and correlation against authentication events.
- Alert on profile field changes immediately followed by password reset or login from a new IP, which can indicate account takeover.
- Track baseline rates of profile edits per user account and alert on statistical outliers.
How to Mitigate CVE-2025-67645
Immediate Actions Required
- Upgrade OpenEMR to version 7.0.4 or later, which contains the authorization fix from commit e2a682ee71aac71a9f04ae566f4ffca10052bc4a.
- Audit recent profile changes since deployment of any version prior to 7.0.4 to identify potentially tampered records.
- Force password resets and re-verify recovery contact information for accounts whose profile data changed unexpectedly.
Patch Information
The vendor released the fix in OpenEMR 7.0.4. Review the GitHub Commit Update for the code change and the GitHub Security Advisory GHSA-vjmv-cf46-gffv for the official disclosure.
Workarounds
- Restrict access to the OpenEMR application to trusted networks or VPN users until the patch can be applied.
- Apply WAF rules that reject Profile Edit requests where pid or pubpid does not match the session-authenticated user identifier.
- Reduce the number of accounts with access to the profile management interface to minimize the exploitable user population.
# Example: upgrade OpenEMR via git to the patched release
cd /var/www/openemr
sudo -u www-data git fetch --tags
sudo -u www-data git checkout v7.0.4
# Run any required database upgrade scripts via the sql_upgrade.php utility
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

