OpenEMR FHIR CareTeam Resource Authorization Bypass Vulnerability

An authorization bypass vulnerability has been identified in OpenEMR versions prior to 8.0.0, specifically within the FHIR CareTeam resource endpoint. This vulnerability allows patient-scoped FHIR tokens to access care team data for all patients, rather than being restricted to the authenticated patient's information. As a result, there is a potential for unauthorized disclosure of Protected Health Information (PHI), including details about patient-provider relationships and care team structures across the system. The issue arises because the FhirCareTeamService does not implement the IPatientCompartmentResourceService interface and fails to pass the patient binding parameter to the underlying service, thereby bypassing the patient compartment filtering mechanism.

Impact

Exploitation of this vulnerability could lead to the unauthorized exposure of care team data for all patients, including sensitive information such as patient-provider relationships and care team structures. This data leakage could violate patient privacy and confidentiality standards.

Reproduction

To reproduce this vulnerability, authenticate as a patient through the OpenEMR patient portal to obtain a patient-scoped FHIR OAuth2 token. Then, send a GET request to the CareTeam endpoint without including a patient search parameter. The response will contain care team data for multiple patients, indicating that the patient compartment filtering has been bypassed.

Remediation

Users can upgrade to OpenEMR version 8.0.0 or later, where this vulnerability has been patched.