CVE-2025-67645 Overview
CVE-2025-67645 is a Broken Access Control vulnerability affecting OpenEMR, a free and open source electronic health records (EHR) and medical practice management application. Versions prior to 7.0.4 contain a broken access control flaw in the Profile Edit endpoint that allows authenticated users to modify other users' profile data by manipulating request parameters.
An authenticated normal user can modify the pubpid or pid request parameters to reference another user's record. The server fails to validate that the requesting user has authorization to modify the specified record, accepting the modified IDs and applying changes to the targeted user's profile. This enables horizontal privilege escalation where one user can alter another user's profile data including name, contact information, and other sensitive details.
Critical Impact
This vulnerability could enable account takeover in healthcare environments, potentially compromising patient data integrity and violating HIPAA compliance requirements in medical facilities using OpenEMR.
Affected Products
- OpenEMR versions prior to 7.0.4
- OpenEMR Patient Portal Profile Edit functionality
- OpenEMR PatientController.php endpoint
Discovery Timeline
- 2026-01-28 - CVE CVE-2025-67645 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-67645
Vulnerability Analysis
The vulnerability exists in the patient profile update functionality within OpenEMR's Patient Portal. The application fails to implement proper authorization checks when processing profile update requests, allowing any authenticated user to update any other user's profile by simply changing the patient identifier in the request.
This is a classic Insecure Direct Object Reference (IDOR) vulnerability combined with broken access control. The server-side code trusts the id parameter provided in the URL without verifying that the authenticated user owns or has permission to modify the referenced patient record. This architectural flaw means the application relies on client-side controls or obscurity rather than proper server-side authorization validation.
In healthcare contexts, this vulnerability is particularly severe as it could allow malicious actors to modify patient demographic information, contact details, and potentially enable further attacks through account takeover mechanisms.
Root Cause
The root cause is missing authorization validation in the PatientController.php file. The vulnerable code retrieves a patient record based on a user-supplied id parameter and proceeds to update the record without verifying that the authenticated session belongs to the patient whose record is being modified. The application architecture failed to implement the security principle of verifying object-level authorization before performing sensitive operations.
Attack Vector
The attack is network-based and requires low-privilege authenticated access to the OpenEMR Patient Portal. An attacker with a valid user account can intercept or craft HTTP requests to the profile update endpoint, modifying the pubpid or pid parameter to target another user's patient ID. No user interaction is required from the victim, and the attack can be performed with commonly available tools like browser developer tools or proxy applications.
// Security patch in portal/patient/libs/Controller/PatientController.php
// Source: https://github.com/openemr/openemr/commit/e2a682ee71aac71a9f04ae566f4ffca10052bc4a
$pk = $this->GetRouter()->GetUrlParam('id');
$patient = $this->Phreezer->Get('Patient', $pk);
// Ensure user can only update their own profile
$sessionPid = $_SESSION['pid'] ?? null;
if (!$sessionPid || $patient->Pid != $sessionPid) {
throw new Exception('Unauthorized: You can only update your own profile');
}
// this is a primary key. uncomment if updating is allowed
$patient->Title = $this->SafeGetVal($json, 'title', $patient->Title);
$patient->Language = $this->SafeGetVal($json, 'language', $patient->Language);
$patient->Fname = $this->SafeGetVal($json, 'fname', $patient->Fname);
$patient->Lname = $this->SafeGetVal($json, 'lname', $patient->Lname);
$patient->Mname = $this->SafeGetVal($json, 'mname', $patient->Mname);
The patch adds proper session-based authorization by comparing the patient ID from the request against the authenticated user's session pid, throwing an exception if they don't match.
Detection Methods for CVE-2025-67645
Indicators of Compromise
- HTTP requests to the Patient Portal profile update endpoint containing pid or pubpid values that differ from the authenticated user's session
- Multiple profile update requests from a single authenticated session targeting different patient IDs
- Unusual patterns of patient demographic data modifications in audit logs
- Failed authorization exceptions in application logs after patching
Detection Strategies
- Implement web application firewall (WAF) rules to flag requests where URL-based id parameters differ from session-bound user identifiers
- Monitor OpenEMR application logs for authorization exception patterns that may indicate exploitation attempts
- Deploy SentinelOne Singularity to detect anomalous web application behavior and potential IDOR exploitation
- Review access logs for authenticated users making requests with modified patient ID parameters
Monitoring Recommendations
- Enable detailed audit logging for all patient profile modification operations in OpenEMR
- Configure alerting for multiple profile updates originating from a single user session within short time windows
- Monitor for HTTP parameter tampering patterns in web server access logs
- Implement database-level auditing to track unauthorized profile modifications
How to Mitigate CVE-2025-67645
Immediate Actions Required
- Upgrade OpenEMR to version 7.0.4 or later immediately
- Review audit logs for any suspicious profile modification activity that may indicate prior exploitation
- Implement network segmentation to limit access to OpenEMR Patient Portal to authorized networks
- Notify affected users if unauthorized profile modifications are detected
Patch Information
OpenEMR version 7.0.4 addresses this vulnerability by implementing proper server-side authorization checks. The fix validates that the authenticated user's session pid matches the patient record being modified before allowing any updates. The security patch is available via the GitHub commit and detailed in the GitHub Security Advisory GHSA-vjmv-cf46-gffv.
Workarounds
- If immediate patching is not possible, restrict access to the Patient Portal at the network level until the update can be applied
- Implement a reverse proxy or WAF rule to reject profile update requests where URL parameters don't match session identifiers
- Disable the Patient Portal self-service profile editing functionality temporarily
- Apply the patch manually by implementing the authorization check shown in the security commit
# Configuration example - Restrict Patient Portal access at web server level
# Apache example - Add to OpenEMR virtual host configuration
<Location "/portal/patient">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
