Skip to content
Tech News
← Back to articles

AI uncovers 38 vulnerabilities in largest open source medical record software

2026-04-28 | original
read original get Cybersecurity Software Suite → more articles
Why This Matters

This discovery highlights the critical need for robust security measures in healthcare software, especially as AI tools are increasingly used both for vulnerability detection and by attackers. Ensuring the security of widely adopted open-source medical record systems like OpenEMR is vital to protect patient data and maintain trust in digital health solutions.

Key Takeaways

Healthcare is digitizing faster than it is being secured. AI-assisted diagnostics, telemedicine, and automated billing are expanding access to care at unprecedented speed, but the security practices protecting these systems have not kept up. At the same time, attackers are increasingly using AI to find vulnerabilities faster than ever. The result is a widening gap between what healthcare software can do and how well it is defended.

OpenEMR sits squarely in that gap. It is one of the most widely adopted open-source electronic health record platforms in the world, used by over 100,000 medical providers serving more than 200 million patients across 34 languages. OpenEMR 8.0, released in February 2026, is ONC-certified under the U.S. federal Health IT certification program, including the full set of Privacy and Security criteria (§ 170.315(d)(1) through (d)(13)). Such reach makes protecting it essential.

That is why we chose OpenEMR as a focus of our open-source partnership security work. Our goal is to strengthen critical infrastructure by applying the same autonomous analysis engine that uncovered twelve zero-days in OpenSSL to a codebase that millions of patients depend on daily. The OpenEMR maintainers collaborated closely with us and responded to findings with speed and professionalism. What follows is a summary of what we found, how the issues were fixed, and what this experience reveals about the state of healthcare application security.

The Findings at a Glance

During Q1 2026, AISLE researchers Stanislav Fort, Petr Simecek, and Pavel Kohout applied the AISLE AI analyzer to the OpenEMR codebase and discovered 38 CVEs, accounting for more than half of all OpenEMR security advisories published on GitHub during this period.

For comparison, the most prominent prior independent security audit of OpenEMR was the 2018 Project Insecurity report, which generated international press coverage and disclosed 23 vulnerabilities after an extended research effort by a dedicated human team. AISLE's analyzer found 38 in just one quarter.

These vulnerabilities could have enabled a broad range of attacks against OpenEMR deployments. In the most severe cases, SQL injection vulnerabilities combined with modest database privileges could have led to full database compromise, PHI exfiltration at scale, and remote code execution on the server.

Notable Findings

Each of these vulnerabilities could be exploited to access or rewrite sensitive patient data:

CVE-2026-24908: SQL Injection in Patient REST API Sort Parameter

... continue reading

Explore topics: openemr healthcare open-source vulnerabilities
Related:
AISLE Discovers 38 CVEs in OpenEMR Healthcare Software
Localsend: An open-source cross-platform alternative to AirDrop
OpenAI’s Latest Release Looks Like the Project Management Software You Probably Already Have to Use
BleachBit 6.0 updates the free PC cleaner with smarter browser cleanup
Pgbackrest is no longer being maintained

© 2026 GoKawiil

About | Editorial Policy | Contact