AI-Powered Audit Uncovers 38 CVEs in OpenEMR Healthcare Platform
An AI-driven code analysis by Aisle has revealed 38 previously unknown vulnerabilities in OpenEMR, the open-source EHR platform used by over 100,000 healthcare providers, including a critical SQL injection flaw rated CVSS 10.0.
An AI-powered security audit of the OpenEMR codebase has unearthed 38 previously undisclosed vulnerabilities in the widely used open-source electronic health record (EHR) platform. The flaws, discovered by cybersecurity vendor Aisle over a three-month period, range from medium to critical severity and include SQL injection, cross-site scripting (XSS), path traversal, and authorization bypass issues. All vulnerabilities have been patched in OpenEMR version 8.0.0, released in February 2026, with additional fixes rolled out in March.
The most severe flaw, tracked as CVE-2026-24908 with a CVSS score of 10.0, is a SQL injection vulnerability in OpenEMR's Patient REST API. This interface allows external systems to retrieve patient records, and the bug gives any authenticated user the ability to extract password hashes, browse any database table, and under certain conditions read or write arbitrary files on the server. Aisle's report warned that this could lead to full database compromise, exfiltration of protected health information (PHI) at scale, and remote code execution on the underlying server.
Two other notable vulnerabilities were highlighted in the disclosure. CVE-2026-23627 (CVSS 8.8) is a SQL injection flaw in the immunization tracking module, enabling an authenticated attacker to take over the database, steal patient health information and credentials, and potentially achieve remote code execution. CVE-2026-24487 (CVSS 6.5) is an authorization bypass in the FHIR CareTeam endpoint, which incorrectly returned data for every patient in the system rather than only the relevant patient's care team records.
OpenEMR is one of the most widely deployed open-source EHR platforms globally, used by more than 100,000 healthcare providers across 200 countries. The scale of its deployment makes the discovery of these vulnerabilities particularly concerning, as they could have enabled attackers to access sensitive patient data, manipulate medical records, or pivot to other systems within healthcare networks. The platform handles a vast amount of protected health information, making it a high-value target for cybercriminals and state-sponsored actors.
Aisle's AI-powered platform autonomously scanned the OpenEMR codebase and identified the 38 CVEs in just three months, a task that would have taken a team of human researchers significantly longer. The company noted that a comparable independent security audit of OpenEMR conducted in 2018 by a team of security researchers took much longer and yielded a smaller set of 23 vulnerabilities. For each flaw discovered, Aisle also proposed fixes that OpenEMR maintainers could review and apply directly to their existing code, minimizing the time and effort required to address them.
The discovery underscores the accelerating impact of AI on vulnerability research. While AI tools are compressing discovery timelines from months to weeks, they are also creating new challenges for security teams in terms of triage, prioritization, and patching. There is growing concern that malicious actors may use the same AI-powered techniques to uncover and exploit vulnerabilities before defenders can respond, a worry that prompted the recent launch of Anthropic's Project Glasswing's Project Glasswing.
OpenEMR has since integrated Aisle's AI-powered analyzer into its code review process to automatically scan new code for vulnerabilities and address them before production deployment. Healthcare organizations using OpenEMR are strongly advised to upgrade to version 8.0.0 or later immediately to mitigate the risk of exploitation.