Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-25746

CVE-2026-25746: OpenEMR SQL Injection Vulnerability

CVE-2026-25746 is a SQL injection vulnerability in OpenEMR's prescription listing feature that allows authenticated attackers to exploit insufficient input validation. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-25746 Overview

CVE-2026-25746 is a SQL injection vulnerability affecting OpenEMR, a widely-used free and open source electronic health records (EHR) and medical practice management application. Versions prior to 8.0.0 contain insufficient input validation in the prescription listing functionality, allowing authenticated attackers to execute arbitrary SQL queries against the underlying database.

This vulnerability is classified as CWE-89 (SQL Injection), a critical weakness that enables attackers to manipulate database queries through malicious input. Given OpenEMR's role in managing sensitive patient health information, successful exploitation could lead to unauthorized access to protected health information (PHI), data modification, or complete database compromise.

Critical Impact

Authenticated attackers can exploit SQL injection in the prescription module to extract, modify, or delete sensitive electronic health records, potentially compromising patient privacy and healthcare operations.

Affected Products

  • OpenEMR versions prior to 8.0.0
  • OpenEMR 7.0.4 (confirmed vulnerable per PoC)
  • All OpenEMR installations using the vulnerable C_Prescription.class.php and Prescription.class.php components

Discovery Timeline

  • 2026-02-25 - CVE-2026-25746 published to NVD
  • 2026-02-25 - Last updated in NVD database

Technical Details for CVE-2026-25746

Vulnerability Analysis

This SQL injection vulnerability exists within OpenEMR's prescription management module, specifically in the prescription listing functionality. The vulnerability stems from improper handling of user-supplied input that is incorporated into SQL queries without adequate sanitization or parameterization.

The attack can be executed by authenticated users over the network without requiring user interaction. Successful exploitation grants attackers the ability to read sensitive database contents including patient records, modify or delete data, and potentially escalate privileges within the application.

Healthcare applications like OpenEMR are particularly high-value targets due to the sensitive nature of Protected Health Information (PHI) they store, making this vulnerability especially concerning for healthcare organizations subject to HIPAA and other regulatory requirements.

Root Cause

The root cause of CVE-2026-25746 is insufficient input validation in the prescription listing functionality. According to the GitHub Security Advisory GHSA-78r7-g65p-gpw3, user-controlled input is passed to SQL queries without proper sanitization.

The vulnerable code paths are located in:

  • controllers/C_Prescription.class.php (line 180)
  • library/classes/Prescription.class.php (line 1148)
  • library/classes/Controller.class.php (line 77)

These components fail to properly escape or parameterize user input before incorporating it into database queries, allowing attackers to inject malicious SQL statements.

Attack Vector

The attack vector is network-based and requires low-privileged authentication to the OpenEMR application. An attacker with valid credentials can navigate to the prescription listing functionality and inject SQL payloads through vulnerable input fields or parameters.

The following patch was applied to remediate the vulnerability:

php
  * @package   OpenEMR
  * @link      https://www.open-emr.org
  * @author    Brady Miller <brady.g.miller@gmail.com>
+ * @author    Michael A. Smith <michael@opencoreemr.com>
  * @copyright Copyright (c) 2019 Brady Miller <brady.g.miller@gmail.com>
+ * @copyright Copyright (c) 2026 OpenCoreEMR Inc <https://opencoreemr.com/>
  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  */

Source: GitHub OpenEMR Commit Update

A proof-of-concept demonstrating this vulnerability is available in the CVE-2026-25746 PoC repository.

Detection Methods for CVE-2026-25746

Indicators of Compromise

  • Unusual SQL syntax or error messages in web server logs associated with prescription-related endpoints
  • Database query logs showing injection attempts with UNION, SELECT, or other SQL keywords in prescription parameters
  • Unexpected database access patterns or data exfiltration from prescription-related tables
  • Authentication logs showing suspicious activity from accounts accessing prescription functionality

Detection Strategies

  • Deploy web application firewall (WAF) rules to detect and block SQL injection patterns in HTTP requests
  • Enable detailed logging for database queries and monitor for anomalous SQL statements
  • Implement intrusion detection system (IDS) signatures targeting SQL injection payloads
  • Review application logs for requests to /controllers/C_Prescription.class.php with suspicious parameter values
  • Monitor for unusual SELECT statements or database enumeration attempts in database audit logs

Monitoring Recommendations

  • Configure real-time alerting for SQL error messages returned to clients
  • Enable database audit logging to track all queries against sensitive patient tables
  • Implement behavioral analysis to detect abnormal data access patterns from authenticated users
  • Set up monitoring for large data exports or unusual query volumes from prescription-related functions

How to Mitigate CVE-2026-25746

Immediate Actions Required

  • Upgrade OpenEMR to version 8.0.0 or later immediately
  • Review database audit logs for evidence of exploitation attempts
  • Conduct a security assessment to identify any unauthorized data access
  • Implement network segmentation to limit access to the OpenEMR application
  • Enable Web Application Firewall (WAF) rules to block SQL injection attempts as an interim measure

Patch Information

OpenEMR has released version 8.0.0 which contains the security fix for this vulnerability. The patch is available via the official commit. Organizations should upgrade to the patched version as soon as possible.

For detailed information about the vulnerability and remediation, refer to the GitHub Security Advisory GHSA-78r7-g65p-gpw3.

Workarounds

  • Implement strict input validation at the WAF or reverse proxy level for prescription-related endpoints
  • Restrict network access to OpenEMR to only trusted IP ranges
  • Limit user privileges to the minimum necessary for their role, reducing potential impact of compromised accounts
  • Enable database connection encryption and audit logging to detect exploitation attempts
bash
# Example: Apache ModSecurity rule to block SQL injection attempts
SecRule ARGS "@detectSQLi" \
    "id:1001,\
    phase:2,\
    deny,\
    status:403,\
    msg:'SQL Injection attempt detected',\
    log,\
    auditlog"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne