CVE-2026-24890

HighPublic PoC

Published: 25 February 2026

Published

25 February 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0010 27.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the patient portal signature endpoint allows authenticated portal users to upload and overwrite provider signatures by…

setting `type=admin-signature` and specifying any provider user ID. This could potentially lead to signature forgery on medical documents, legal compliance violations, and fraud. The issue occurs when portal users are allowed to modify provider signatures without proper authorization checks. Version 8.0.0 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations, directly preventing authenticated patient portal users from bypassing checks to overwrite provider signatures.

AC-6 Least Privilege good match

prevent

Restricts patient portal users to least privilege, prohibiting access to admin-signature modification functions intended for providers only.

SI-2 Flaw Remediation good match

prevent

Remediates the specific authorization bypass flaw by applying the vendor fix in OpenEMR version 8.0.0 or later.

Security SummaryAI

CVE-2026-24890 is an authorization bypass vulnerability (CWE-285) in OpenEMR, a free and open-source electronic health records and medical practice management application. The issue affects versions prior to 8.0.0 and exists in the patient portal signature endpoint, where portal users can modify provider signatures without proper authorization checks. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts from network-accessible exploitation with low privileges and complexity.

Authenticated patient portal users can exploit the vulnerability by setting the `type=admin-signature` parameter and specifying any provider user ID, allowing them to upload and overwrite provider signatures. This enables attackers with portal access to forge signatures on medical documents, potentially resulting in legal compliance violations and fraud.

OpenEMR's security advisory (GHSA-xc8x-mfh8-9xvh) and the fixing commit (a29c0f7ac0975429a85cd09a3ff12ee0dcdb4478) confirm that version 8.0.0 resolves the issue by implementing proper authorization checks. Security practitioners should prioritize upgrading affected OpenEMR instances to version 8.0.0 or later.

Details

CWE(s): CWE-285

Affected Products

open-emr

openemr

≤ 8.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Authorization bypass in public-facing OpenEMR patient portal directly enables T1190 exploitation for unauthorized actions; allows overwriting provider signature files, mapping to stored data manipulation under T1565.001.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References

https://github.com/openemr/openemr/commit/a29c0f7ac0975429a85cd09a3ff12ee0dcdb4478
Patch · security-advisories@github.com
https://github.com/openemr/openemr/security/advisories/GHSA-xc8x-mfh8-9xvh
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/openemr/openemr/security/advisories/GHSA-xc8x-mfh8-9xvh
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0