OpenMRS Security Advisory
Please be aware of the following security vulnerability, CVE-2025-46823.
Severity: Critical
Affected Versions
Vulnerability
- In versions of the FHIR2 module prior to 2.5.0, privileges were not always correctly checked, which means that unauthorized users may have been able to add or edit data they were not supposed to be able to.
Recommendations
- All implementers should update to FHIR2 2.5.0 or newer as soon as is feasible.
- This notification will be publicly posted in 2 weeks.
For questions or concerns, connect with the OpenMRS Security Group at security@openmrs.org.
Acknowledgements: Thanks go to @ibacher (UW DIGI) for the fix, and @mogoodrich (PIH) for testing the fixed version.