Dozens of vulnerabilities, including critical issues that can be exploited to steal sensitive patient information, were discovered recently in the open source electronic medical records platform OpenEMR.
OpenEMR, which is used worldwide by over 100,000 healthcare providers to store data on more than 200 million patients, was analyzed by the application security firm Aisle. The company’s autonomous analyzer identified 39 issues, of which 38 have been assigned CVE identifiers.
The research was conducted as part of a partnership between OpenEMR developers and Aisle, and all the vulnerabilities have been patched.
The majority of the security holes were due to missing or incorrect authorization. The remaining vulnerabilities were described as XSS, SQL injection, path traversal, and session expiration issues.
“In the most severe cases, SQL injection vulnerabilities combined with modest database privileges could have led to full database compromise, PHI exfiltration at scale, and remote code execution on the server,” Aisle said.
The security firm highlighted three vulnerabilities that can be exploited to access or alter patient data. Two of them are critical SQL injection bugs tracked as CVE-2026-24908 and CVE-2026-23627, which can allow any authenticated attacker to compromise a database, exfiltrate data, steal credentials, and execute arbitrary code.
Another flaw exposing patient data is CVE-2026-24487, described as an authorization bypass issue.
The complete list of OpenEMR CVEs is available in a blog post from Aisle.
Critical OpenEMR vulnerabilities that expose patient information are regularly discovered by researchers.
CVEdetails has cataloged more than 200 vulnerabilities discovered over the past decade. However, there do not appear to be any public reports confirming in-the-wild exploitation of OpenEMR vulnerabilities.
This may be due to many OpenEMR deployments being firewalled or kept up to date, and healthcare organizations more commonly being hit via broader vectors rather than application-specific flaws.
Related: Medtronic Hack Confirmed After ShinyHunters Threatens Data Leak
Related: Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000
