A critical SQL injection vulnerability in OpenEMR allows authenticated users to bypass security controls and access sensitive patient data, leading to a major breach of PHI.

The vulnerability exists in the Patient REST API endpoint due to the lack of proper validation on the _sort parameter. An authenticated attacker with API access can inject malicious SQL commands into the ORDER BY clause, enabling unauthorized database interaction.

The impact of this flaw is severe, potentially resulting in the full exposure of Protected Health Information (PHI) and a violation of HIPAA regulations. Beyond data theft, attackers could compromise administrative credentials or manipulate medical records, leading to significant legal, financial, and reputational damage. The CVSS score of 9.9 underscores the critical nature of this injection flaw.

Immediate Action: Administrators must upgrade OpenEMR installations to version 8.0.0 or higher to eliminate the vulnerable code path in the REST API.

Proactive Monitoring: Review database logs for anomalous queries containing SQL keywords in the ORDER BY clauses and monitor API traffic for suspicious sorting requests.

Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection detection rules to intercept and block malicious payloads targeting the REST API endpoints.

Public Exploit Available: false

Protecting patient data is a primary requirement for healthcare providers. Organizations using OpenEMR must prioritize this update immediately to prevent unauthorized access to sensitive medical databases and ensure regulatory compliance.