{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-23T11:54:57.206","vulnerabilities":[{"cve":{"id":"CVE-2026-24896","sourceIdentifier":"security-advisories@github.com","published":"2026-02-25T02:16:22.353","lastModified":"2026-02-25T16:54:24.783","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in OpenEMR’s edih_main.php endpoint, which allows any authenticated user—including low-privilege roles like Receptionist—to access EDI log files by manipulating the log_select parameter in a GET request. The back-end fails to enforce role-based access control (RBAC), allowing sensitive system logs to be accessed outside the GUI-enforced permission boundaries. Version 8.0.0 fixes the issue."},{"lang":"es","value":"OpenEMR es una aplicación gratuita y de código abierto para registros de salud electrónicos y gestión de consultorios médicos. Antes de la versión 8.0.0, existe una vulnerabilidad de control de acceso roto en el endpoint edih_main.php de OpenEMR, que permite a cualquier usuario autenticado —incluidos roles de bajo privilegio como Recepcionista— acceder a los archivos de registro EDI manipulando el parámetro log_select en una solicitud GET. El back-end no aplica el control de acceso basado en roles (RBAC), lo que permite acceder a registros sensibles del sistema fuera de los límites de permisos impuestos por la GUI. La versión 8.0.0 soluciona el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-284"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*","versionEndExcluding":"8.0.0","matchCriteriaId":"FEAA9896-A42E-437C-BEE8-8DA955E34385"}]}]}],"references":[{"url":"https://github.com/openemr/openemr/commit/1a57dfc244b30e96e7ebdb5ba6f331a6eb868df1","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/openemr/openemr/security/advisories/GHSA-rccq-vjfg-ggjh","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}