CVE-2026-25131 Overview
CVE-2026-25131 is a Broken Access Control vulnerability affecting OpenEMR, the widely-used open source electronic health records (EHR) and medical practice management application. This vulnerability exists in the order types management system, specifically in the /openemr/interface/orders/types_edit.php endpoint, allowing low-privilege users such as Receptionists to add and modify procedure types without proper authorization. Given OpenEMR's deployment in healthcare environments handling sensitive patient data, this vulnerability poses significant risks to data integrity and regulatory compliance.
Critical Impact
Low-privilege users can bypass authorization controls to modify procedure types in the medical records system, potentially compromising clinical workflow integrity and patient safety in healthcare environments.
Affected Products
- OpenEMR versions prior to 8.0.0
- open-emr openemr (all versions before the security patch)
- Installations using the /interface/orders/types_edit.php and /interface/orders/types_ajax.php endpoints
Discovery Timeline
- 2026-02-25 - CVE-2026-25131 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-25131
Vulnerability Analysis
This vulnerability stems from missing authorization checks in the OpenEMR order types management functionality. The affected endpoints (types_edit.php and types_ajax.php) fail to verify that the requesting user has appropriate administrative privileges before allowing modifications to procedure types. This constitutes a CWE-862 (Missing Authorization) vulnerability, where security-critical operations are performed without validating that the authenticated user is authorized to perform those actions.
In healthcare software like OpenEMR, procedure types define how laboratory tests, radiology orders, and other clinical procedures are configured and processed. Unauthorized modification of these types could lead to incorrect billing codes, misrouted lab results, or corrupted clinical workflows—all of which have serious implications for patient care and regulatory compliance under HIPAA and similar frameworks.
Root Cause
The root cause is the absence of Access Control List (ACL) checks in the affected PHP files. Prior to the patch, both types_edit.php and types_ajax.php did not invoke OpenEMR's AclMain::aclCheckCore() function to verify that the user possessed either admin:super or patients:lab permissions before processing requests. This allowed any authenticated user, regardless of their role, to access and modify procedure type configurations.
Attack Vector
An attacker with low-privilege credentials (such as a Receptionist account) can exploit this vulnerability by:
- Authenticating to the OpenEMR application with valid but limited credentials
- Directly accessing the /openemr/interface/orders/types_edit.php endpoint
- Submitting requests to add, modify, or delete procedure types
- Potentially disrupting clinical workflows or manipulating medical data without administrative oversight
The attack requires network access to the OpenEMR instance and valid authentication credentials, but no user interaction is required from privileged users.
// Security patch in interface/orders/types_ajax.php
// Source: https://github.com/openemr/openemr/commit/1e63cbab34558bca029533f87cdb6efb1ff32c75
* @link http://www.open-emr.org
* @author Rod Roark <rod@sunsetsystems.com>
* @author Brady Miller <brady.g.miller@gmail.com>
+ * @author Michael A. Smith <michael@opencoreemr.com>
* @copyright Copyright (c) 2010-2012 Rod Roark <rod@sunsetsystems.com>
* @copyright Copyright (c) 2019 Brady Miller <brady.g.miller@gmail.com>
+ * @copyright Copyright (c) 2026 OpenCoreEMR Inc <https://opencoreemr.com/>
* @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
*/
require_once("../globals.php");
+use OpenEMR\Common\Acl\AclMain;
+
+if (!AclMain::aclCheckCore('admin', 'super') && !AclMain::aclCheckCore('patients', 'lab')) {
+ die(xlt('Not authorized'));
+}
+
$id = ($_GET['id'] ?? '') + 0;
$order = ($_GET['order'] ?? '') + 0;
$labid = ($_GET['labid'] ?? '') + 0;
Detection Methods for CVE-2026-25131
Indicators of Compromise
- Unexpected modifications to procedure types or order configurations in the OpenEMR database
- Access logs showing requests to /interface/orders/types_edit.php or /interface/orders/types_ajax.php from non-administrative user accounts
- Audit trail entries indicating procedure type changes made by users without admin:super or patients:lab ACL permissions
- Anomalous activity patterns from Receptionist or other low-privilege accounts accessing administrative endpoints
Detection Strategies
- Implement web application firewall (WAF) rules to monitor and alert on access to /interface/orders/types_edit.php and /interface/orders/types_ajax.php endpoints
- Review OpenEMR audit logs for unauthorized procedure type modifications by correlating user roles with actions performed
- Deploy file integrity monitoring on OpenEMR installation files to detect unauthorized code modifications
- Configure SIEM alerts for authentication events followed by access to order management endpoints from non-administrative accounts
Monitoring Recommendations
- Enable detailed access logging for all OpenEMR administrative endpoints
- Implement user behavior analytics to detect privilege abuse patterns from low-privilege accounts
- Monitor database tables related to procedure types for unexpected INSERT, UPDATE, or DELETE operations
- Establish baseline activity patterns for different user roles and alert on deviations
How to Mitigate CVE-2026-25131
Immediate Actions Required
- Upgrade OpenEMR to version 8.0.0 or later immediately
- If immediate upgrade is not possible, restrict access to the /interface/orders/ directory at the web server level to administrative IP addresses only
- Review OpenEMR audit logs to identify any potential exploitation that may have occurred prior to patching
- Conduct a user access review to ensure role assignments follow the principle of least privilege
- Consider temporarily disabling low-privilege user accounts until the patch is applied
Patch Information
OpenEMR has released version 8.0.0 which contains the security fix for this vulnerability. The patch adds proper ACL checks using AclMain::aclCheckCore() to verify that users have either admin:super or patients:lab permissions before allowing access to the order types management functionality. The fix is documented in the GitHub Security Advisory GHSA-6h2m-4ppf-ph4j and implemented in commit 1e63cbab34558bca029533f87cdb6efb1ff32c75.
Workarounds
- Implement web server access controls (e.g., Apache .htaccess or Nginx location blocks) to restrict access to /interface/orders/types_edit.php and /interface/orders/types_ajax.php to trusted administrative IP addresses
- Configure a reverse proxy or WAF rule to require additional authentication for administrative endpoints
- Disable or limit low-privilege user accounts that do not require access to order management features
- Implement network segmentation to restrict which systems can access the OpenEMR application server
# Apache .htaccess workaround to restrict access to vulnerable endpoints
# Place in /openemr/interface/orders/.htaccess
<Files "types_edit.php">
Require ip 10.0.0.0/8 192.168.1.0/24
</Files>
<Files "types_ajax.php">
Require ip 10.0.0.0/8 192.168.1.0/24
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
