Aisle’s analysis of OpenEMR uncovered 39 vulnerabilities (38 assigned CVEs), including critical SQL injection and authorization bypass flaws that could allow authenticated attackers to exfiltrate PHI and achieve remote code execution. OpenEMR developers partnered with Aisle to patch all issues; notable tracked bugs include CVE-2026-24908, CVE-2026-23627, and CVE-2026-24487, and a full list is available in Aisle’s blog. #OpenEMR #Aisle #CVE-2026-24908 #CVE-2026-23627 #CVE-2026-24487
Keypoints
- Aisle’s autonomous analyzer identified 39 security issues in OpenEMR, with 38 assigned CVE identifiers.
- The majority of vulnerabilities stemmed from missing or incorrect authorization checks.
- Critical SQL injection bugs (CVE-2026-24908 and CVE-2026-23627) could allow authenticated attackers to compromise databases, exfiltrate patient data, and achieve remote code execution.
- CVE-2026-24487 is an authorization bypass vulnerability that can expose or alter patient records.
- All reported vulnerabilities have been patched through the OpenEMR–Aisle collaboration, and there are no public reports of in-the-wild exploitation to date.
Read More: https://www.securityweek.com/38-vulnerabilities-found-in-openemr-medical-software/