CVE-2026-24908 — AI Deep Analysis Summary

🚨 **Essence**: SQL Injection in OpenEMR's Patient REST API `_sort` parameter. 💥 **Consequences**: Attackers can execute arbitrary SQL queries, leading to total data compromise, integrity loss, and system disruption.

🛡️ **Root Cause**: **CWE-89** (SQL Injection). The flaw lies in improper input validation/sanitization of the `_sort` parameter in the Patient REST API endpoint.

🏥 **Affected**: **OpenEMR** versions **prior to 8.0.0**. Specifically the Patient REST API component used for medical practice management and EHR.

💀 **Capabilities**: Authenticated users with API access can run **arbitrary SQL**. This allows reading sensitive patient records, modifying data, or potentially escalating privileges to full system control.

🔑 **Threshold**: **Medium**. Requires **Low Complexity** and **Network** access. Crucially, the attacker must be an **Authenticated User** with API permissions. Not fully remote unauthenticated.

📦 **Exploit Status**: No public PoC/Exploit listed in the data. However, the CVSS score indicates high severity, so wild exploitation risk increases as details become known.

🔍 **Self-Check**: Scan for OpenEMR instances < v8.0.0. Specifically test the Patient REST API endpoint for the `_sort` parameter. Look for SQL error responses or unexpected data sorting anomalies.

✅ **Fix**: Yes. Official patch available via GitHub commit `943e23cad6e979f87cdf168807fce2a7b32dd194`. Upgrade to **OpenEMR 8.0.0** or later immediately.

🚧 **Workaround**: If patching is delayed, restrict API access strictly. Implement WAF rules to block SQL injection patterns in the `_sort` parameter. Limit API user privileges to minimum necessary.

🔥 **Priority**: **CRITICAL**. CVSS 9.8 (High). Medical data is sensitive. Even though auth is required, the impact is catastrophic. Patch immediately upon upgrade to v8.0.0.