OpenEMR Missing Authorization Vulnerability in REST API Document and Insurance Routes

A missing authorization vulnerability has been identified in OpenEMR versions prior to 8.0.0. The issue arises in the REST API route table within 'apis/routes/_rest_routes_standard.inc.php', where the document and insurance routes do not invoke the necessary authorization checks. This omission allows any valid API bearer token to access or modify all patients' documents and insurance data, bypassing OpenEMR's access control lists (ACLs) and exposing sensitive personal health information (PHI) to authenticated API clients. In contrast, other patient routes in the same file properly implement these authorization checks.

Impact

This vulnerability allows for unauthorized access to and modification of all patients' documents and insurance data through the OpenEMR REST API. Any authenticated API client can exploit this issue, regardless of the token's associated ACLs, leading to a broad exposure of sensitive PHI.

Reproduction

To reproduce this vulnerability, first ensure that the OpenEMR REST API is enabled. Obtain a valid API bearer token, which can be acquired through normal API authentication methods, such as OAuth2 or API credentials. Once the token is obtained, it can be used to access the vulnerable document and insurance routes for any patient, without the required authorization checks being enforced.

Remediation

Users can upgrade to OpenEMR version 8.0.0 or later, where this vulnerability has been patched.