Home > Vulnerability Database > CVE-2025-67645

Mend.io Vulnerability Database

CVE-2025-67645

Good to know:

Date: January 27, 2026

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pubpid / pid) to reference another user’s record; the server accepts the modified IDs and applies the changes to that other user’s profile. This allows one user to alter another user’s profile data (name, contact info, etc.), and could enable account takeover. Version 7.0.4 fixes the issue.

Severity Score

8.8

Related Resources (4)

Url: https://github.com/openemr/openemr/commit/e2a682ee71aac71a9f04ae566f4ffca10052bc4a

Url: https://github.com/openemr/openemr/security/advisories/GHSA-vjmv-cf46-gffv

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-67645

Url: https://www.mend.io/vulnerability-database/CVE-2025-67645

Severity Score

8.8

Weakness Type (CWE)

Improper Access Control

CWE-284

Top Fix

Upgrade Version

Upgrade to version https://github.com/openemr/openemr.git - v7_0_4

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-67645

Good to know:

Date: January 27, 2026

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?