File Reading Vulnerability in OpenEMR by OpenEMR
CVE-2026-24849

10CRITICAL

Key Information:

Vendor: Openemr
Status: Openemr
Vendor: CVE Published:; 25 February 2026

What is CVE-2026-24849?

OpenEMR, an open-source electronic health records and medical practice management application, features a vulnerability in the disposeDocument() method located in EtherFaxActions.php. This flaw permits authenticated users, regardless of their privilege levels, to gain unauthorized access to sensitive server files. Versions prior to 7.0.4 are affected, and users are urged to upgrade to mitigate this risk.

Affected Version(s)

openemr < 7.0.4

References

https://github.com/openemr/openemr/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/openemr/openemr/commit/22f8e53e5769a88...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 25, 2026
Vulnerability Reserved
Jan 27, 2026

CVE-2026-24849 Data

JSON

Openemr

What is CVE-2026-24849?

Affected Version(s)

References

CVSS V3.1

Timeline