OpenEMR Information Disclosure Vulnerability in FHIR Location Export

A vulnerability in OpenEMR prior to version 8.0.0 allows for unauthorized information disclosure. When the FHIR Location resource is exported using the Group or Patient export operation, the entire contact information of all users, organizations, and patients is leaked. This issue affects OpenEMR versions released since 2023 and arises in high-trust environments where a confidential client is used for secure key exchange, requiring administrative permission. The vulnerability is typically exploited through server-to-server communication between trusted clients with established legal agreements.

Impact

Exploitation of this vulnerability results in the unauthorized disclosure of contact information for all users, organizations, and patients within the OpenEMR system.

Reproduction

To reproduce this vulnerability, use a confidential client that has been granted permission to access the system/Location.read scope. Initiate a FHIR export operation for the Location resource while targeting either Group or Patient. This will trigger the export of contact information for all individuals in the system, exploiting the information disclosure vulnerability.

Remediation

Users can upgrade to OpenEMR version 8.0.0 or later, where this vulnerability has been patched. As an additional step, clients with the vulnerable scopes should be disabled, allowing only those without the system/Location.read scope until the update has been applied.