CVE-2025-67752
HIGHOpenEMR < 7.0.4 - Improper Certificate Validation in HTTP Client Wrapper
Title source: llmDescription
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, OpenEMR's HTTP client wrapper (`oeHttp`/`oeHttpRequest`) disables SSL/TLS certificate verification by default (`verify: false`), making all external HTTPS connections vulnerable to man-in-the-middle (MITM) attacks. This affects communication with government healthcare APIs and user-configurable external services, potentially exposing Protected Health Information (PHI). Version 7.0.4 fixes the issue.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/openemr/openemr/security/advisories/GHSA-2g6h-725p-pqhp
Scores
CVSS v3
8.1
EPSS
0.0023
EPSS Percentile
13.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-295
Status
published
Products (1)
open-emr/openemr
< 7.0.4
Published
Feb 25, 2026
Tracked Since
Feb 25, 2026