OpenEMR, an open-source electronic medical records platform used globally, was analyzed by Aisle, which identified 39 issues, 38 of which have CVE identifiers. The majority of vulnerabilities stem from missing or incorrect authorization controls, with others including cross-site scripting, SQL injection, path traversal, and session expiration problems. Two critical SQL injection vulnerabilities (CVE-2026-24908 and CVE-2026-23627) can lead to full database compromise, patient health information exfiltration, credential theft, and remote code execution. An additional authorization bypass vulnerability (CVE-2026-24487) also exposes sensitive patient data. These findings were part of a partnership between OpenEMR developers and Aisle, and all vulnerabilities have been patched. Despite the severity, no confirmed exploitation in the wild has been reported, possibly due to firewalled or updated deployments.

The vulnerabilities could allow attackers with authentication to compromise OpenEMR databases, access and alter sensitive patient health information, steal credentials, and execute arbitrary code on the server. This poses significant risks to patient privacy and system integrity. However, no confirmed in-the-wild exploitation has been reported to date.

All identified vulnerabilities have been patched by the OpenEMR development team in coordination with Aisle. Healthcare providers using OpenEMR should ensure their systems are updated to the latest patched versions to mitigate these risks. Since the vulnerabilities are patched, no additional immediate actions are required beyond applying these updates.