CVE-2026-25745

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25745

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25745.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25745

Aliases

GHSA-jm78-x5p7-52qh

Published

2026-03-18T20:30:30.642Z

Modified

2026-04-10T05:40:47.319397Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

OpenEMR's Message Update Ignores Patient id

Details

OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the message/note update endpoint (e.g. PUT or POST) updates by message/note ID only and does not verify that the message belongs to the current patient (or that the user is allowed to edit that patient’s notes). An authenticated user with notes permission can modify any patient’s messages by supplying another message ID. Commit 92a2ff9eaaa80674b3a934a6556e35e7aded5a41 contains a fix for the issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25745.json",
    "cwe_ids": [
        "CWE-639"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/openemr/openemr

Affected ranges

Type: GIT
Repo: https://github.com/openemr/openemr
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

92a2ff9eaaa80674b3a934a6556e35e7aded5a41

Affected versions

Other

v2_7_2

v2_7_2-rc1

v2_7_2-rc2

v2_7_3-rc1

v2_8_0

v2_8_1

v2_8_2

v2_8_3

v2_9_0

v3_0_0

v3_0_1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25745.json"