A critical information disclosure vulnerability in OpenEMR allows unauthenticated users to view sensitive payment gateway API keys, leading to potential financial fraud and data breaches.

Two specific code paths in the application render the gateway_api_key secret value in plaintext to the client. This allows an unauthenticated attacker to capture these keys by simply accessing the affected application paths.

With a CVSS score of 9.6, this vulnerability poses a significant financial and regulatory risk. Exposure of payment gateway keys can lead to unauthorized money movement, broad account takeovers, and the compromise of Protected Health Information (PHI), potentially resulting in severe HIPAA violations and reputational damage.

Immediate Action: Upgrade OpenEMR to version 8.0.0 immediately. After upgrading, rotate all payment gateway API keys, as they must be considered compromised.

Proactive Monitoring: Review web server logs for access to the vulnerable paths and monitor payment gateway logs for unauthorized or suspicious transactions.

Compensating Controls: Use a Web Application Firewall (WAF) to block access to sensitive configuration paths and implement strict egress filtering for payment processing traffic.

Public Exploit Available: No

Updating the software is only the first step; because the keys were exposed in plaintext, they must be rotated immediately to prevent ongoing unauthorized access to financial services.