AN AI-powered analysis of the OpenEMR codebase uncovered 38 previously undisclosed vulnerabilities in the open source electronic health record platform used by more than 100,000 healthcare providers worldwide. The flaws, all patched now, range from medium to critical and include missing or incorrect authorization checks, cross-site scripting, SQL injection, path traversal and session-related issues.
Aisle discovered the 38 new CVEs in a span of three months and reported them to the OpenEMR team, which released an updated version (8.0.0) in February, then rolled out more patches to address issues in March. Notable vulnerabilities include CVE-2026-24908, a maximum severity flaw in OpenEMR’s Patient REST API that can allow external systems to retrieve patient records, and CVE-2026-23627 and CVE-2026-24487, involving SQL injection and an authorization bypass respectively.
The report notes that, in severe cases, SQL injection with modest database privileges could lead to full database compromise, PHI exfiltration and potential remote code execution. OpenEMR has since integrated Aisle’s AI-powered analyzer into its code review processes to help address vulnerabilities before production.