Primary

Context

OpenEMR Missing Authorization Vulnerability in Insurance Company API Routes

Vulnerability

Patched

A vulnerability exists in OpenEMR versions prior to 8.0.0.3, where five insurance company REST API routes lack the necessary authorization checks. This omission allows any authenticated API user to create and modify insurance company records, regardless of their administrative permissions. The affected routes are in the standard API and include various data-modifying operations. The vulnerability could disrupt billing workflows and insurance claim processing by unauthorized modifications to insurance records.

Impact

Exploitation of this vulnerability allows unauthorized users to create and modify insurance company records, potentially disrupting billing workflows and insurance claim processing.

Remediation

Users can upgrade to OpenEMR version 8.0.0.3, which addresses this vulnerability by adding the necessary authorization checks on the affected API routes. Instructions for downloading this version are available on the OpenEMR GitHub releases page.

Added: Mar 26, 2026, 12:31 AM

Updated: Mar 26, 2026, 12:31 AM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

1.3

exploitability

5.5

remediation

7.7

relevance

4.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

1.3

exploitability

5.5

remediation

7.7

relevance

4.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenEMR Missing Authorization Vulnerability in Insurance Company API Routes

Vulnerability

Impact

Remediation

Affected Products

OpenEMR

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating