CVE-2026-25146 — CRITICAL (9.6)

Q: How severe is CVE-2026-25146?

CVE-2026-25146 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2026-25146?

Check the references section above for vendor advisories and patch information. Affected products include: Open-Emr Openemr.

Vulnerability Description

OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret value is rendered to the client in plaintext. These secret keys being leaked could result in arbitrary money movement or broad account takeover of payment gateway APIs. This vulnerability is fixed in 8.0.0.

CVSS Score

9.6

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Open-Emr	Openemr	>= 5.0.2, < 8.0.0

Related Weaknesses (CWE)

CWE-200

References

FAQ

What is CVE-2026-25146?

CVE-2026-25146 is a vulnerability with a CVSS score of 9.6 (CRITICAL). OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret val...

How severe is CVE-2026-25146?

CVE-2026-25146 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-25146?

Check the references section above for vendor advisories and patch information. Affected products include: Open-Emr Openemr.