CVE-2026-24487
中文标题:
(暂无数据)
英文标题:
OpenEMR has FHIR Patient Compartment Bypass in CareTeam Resource
漏洞描述
中文描述:
(暂无数据)
英文描述:
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the FHIR CareTeam resource endpoint allows patient-scoped FHIR tokens to access care team data for all patients instead of being restricted to only the authenticated patient's data. This could potentially lead to unauthorized disclosure of Protected Health Information (PHI), including patient-provider relationships and care team structures across the entire system. The issue occurs because the `FhirCareTeamService` does not implement the `IPatientCompartmentResourceService` interface and does not pass the patient binding parameter to the underlying service, bypassing the patient compartment filtering mechanism. Version 8.0.0 contains a patch for this issue.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| openemr | openemr | < 8.0.0 | - | - |
cpe:2.3:a:openemr:openemr:<_8.0.0:*:*:*:*:*:*:*
|
| open-emr | openemr | * | - | - |
cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
4.0 (cna)
MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2026-24487 |
2026-02-26 03:19:56 | 2026-02-25 22:00:01 |
| NVD | nvd_CVE-2026-24487 |
2026-02-26 02:00:04 | 2026-02-25 22:00:04 |
版本与语言
安全公告
变更历史
查看详细变更
- affected_products_count: 1 -> 2
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']