📄 Description (English)
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the `RestConfig::request_authorization_check()` call that every other data-modifying route in the standard API uses. This allows any authenticated API user to create and modify insurance company records even if their OpenEMR user account does not have administrative ACL permissions. Version 8.0.0.3 patches the issue.
🤖 AI Executive Summary
OpenEMR versions prior to 8.0.0.3 contain an authorization bypass vulnerability in insurance company REST API routes, allowing authenticated users without administrative privileges to create and modify insurance records. This affects healthcare organizations across Saudi Arabia that rely on OpenEMR for electronic health records management. The vulnerability has a CVSS score of 5.4 (medium) but poses significant compliance and operational risks in the healthcare sector.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 28, 2026 14:18
🇸🇦 Saudi Arabia Impact Assessment
Healthcare sector organizations in Saudi Arabia using OpenEMR are at direct risk, particularly private hospitals, clinics, and medical centers managing patient insurance information. The vulnerability impacts MEWA (Ministry of Health) affiliated facilities and private healthcare providers. Insurance data integrity is compromised, potentially affecting billing operations, patient coverage verification, and compliance with GDPR-equivalent healthcare data protection requirements. Government healthcare facilities and ARAMCO medical services using OpenEMR could face operational disruptions and data integrity issues.
🏢 Affected Saudi Sectors
Healthcare
Government Health Services
Private Hospitals and Clinics
Medical Centers
Insurance Companies
Pharmaceutical Distribution
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
1. IMMEDIATE ACTIONS:
- Audit all insurance company records created/modified via REST API in the past 90 days
- Review API access logs for unauthorized insurance record modifications
- Restrict API access to trusted applications only pending patch deployment
2. PATCHING GUIDANCE:
- Upgrade OpenEMR to version 8.0.0.3 or later immediately
- Test patch in non-production environment first
- Schedule maintenance window for production deployment
3. COMPENSATING CONTROLS (if immediate patching not possible):
- Implement network-level API access controls restricting insurance endpoints
- Disable REST API insurance routes at the application level if not required
- Implement API gateway authentication requiring multi-factor authentication
- Monitor and log all insurance API endpoint access
4. DETECTION RULES:
- Alert on POST/PUT requests to /apis/default/insurance endpoints from non-admin users
- Monitor for unusual patterns in insurance record creation/modification timestamps
- Track API calls modifying insurance data outside normal business hours
- Flag multiple insurance record modifications from single API token within short timeframe
🔧 خطوات المعالجة (العربية)
1. الإجراءات الفورية:
- تدقيق جميع سجلات شركات التأمين التي تم إنشاؤها/تعديلها عبر واجهة برمجة التطبيقات في آخر 90 يوماً
- مراجعة سجلات وصول واجهة برمجة التطبيقات للتعديلات غير المصرح بها على سجلات التأمين
- تقييد وصول واجهة برمجة التطبيقات للتطبيقات الموثوقة فقط قبل نشر التصحيح
2. إرشادات التصحيح:
- ترقية OpenEMR إلى الإصدار 8.0.0.3 أو أحدث فوراً
- اختبار التصحيح في بيئة غير الإنتاج أولاً
- جدولة نافذة صيانة لنشر الإنتاج
3. الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
- تنفيذ ضوابط وصول واجهة برمجة التطبيقات على مستوى الشبكة تقيد نقاط نهاية التأمين
- تعطيل مسارات واجهة برمجة التطبيقات REST للتأمين على مستوى التطبيق إذا لم تكن مطلوبة
- تنفيذ بوابة واجهة برمجة التطبيقات التي تتطلب المصادقة متعددة العوامل
- مراقبة وتسجيل جميع وصول نقاط نهاية واجهة برمجة التطبيقات للتأمين
4. قواعد الكشف:
- تنبيه على طلبات POST/PUT إلى نقاط نهاية /apis/default/insurance من مستخدمين غير إداريين
- مراقبة الأنماط غير العادية في طوابع زمن إنشاء/تعديل سجلات التأمين
- تتبع استدعاءات واجهة برمجة التطبيقات التي تعدل بيانات التأمين خارج ساعات العمل العادية
- وضع علامة على تعديلات سجلات التأمين المتعددة من رمز واجهة برمجة التطبيقات الواحد في إطار زمني قصير
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.2.1 - User access management and authentication
ECC 2024 A.9.4.3 - Password management and access control
ECC 2024 A.14.2.1 - Secure development and change management
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software and hardware inventory
SAMA CSF PR.AC-1 - Access control policy and procedures
SAMA CSF PR.AC-4 - Access rights and privileges management
SAMA CSF DE.CM-1 - Detection and monitoring of unauthorized access
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.8.2 - Privileged access rights
ISO 27001:2022 A.8.3 - Information access restriction
ISO 27001:2022 A.14.2 - Secure development policy
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Restrict access to system components
PCI DSS 6.2 - Security patches and updates
PCI DSS 7.1 - Limit access to system components by business need
🔗 References & Sources 3
🔗
https://github.com/openemr/openemr/commit/976d2a85f024a730955578597a82c083067a72b4
security-advisories@github.com
Patch
🔗
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
security-advisories@github.com
Product
🔗
https://github.com/openemr/openemr/security/advisories/GHSA-ww94-26v7-x4gp
security-advisories@github.com
Vendor Advisory
📦 Affected Products / CPE 1 entries
open-emr:openemr