AISLE · 2026-04-28 · major
AISLE's AI Analyzer Finds 38 CVEs in OpenEMR — Two CVSS 10.0, Used by 100K Healthcare Providers
AI-native security firm AISLE ran its analyzer on OpenEMR and disclosed 38 CVEs in Q1 2026 — more than half of all OpenEMR advisories that quarter, including two CVSS 10.0 SQLi flaws. All fixed in OpenEMR 8.0.0.
An AI vulnerability analyzer found 38 CVEs in OpenEMR in one quarter — more than the most prominent prior human audit found in years.
Key specs
| Cves found | 38 |
|---|---|
| Critical cvss10 | 2 |
| Openemr providers | 100,000+ |
| Patients served | 200M+ |
| Fixed in release | OpenEMR 8.0.0 |
| Fixes shipped | 2026-02-11 |
What is it?
AISLE is an AI-native cybersecurity startup. It pointed its autonomous code analyzer at OpenEMR — the most widely deployed open-source electronic-health-record system, used by 100K+ providers serving 200M+ patients — and disclosed 38 CVEs during Q1 2026. AISLE PRO, their AI commit-review tool, is now wired into OpenEMR's review workflow.
How does it work?
The analyzer reads source code and produces validated vulnerability findings rather than alert noise, which AISLE then submits as coordinated disclosures. The 38 CVEs split into 23 missing/incorrect-authorization bugs, 9 XSS, and 5 SQLi/path-traversal. The two CVSS 10.0 flaws (CVE-2026-24908 and CVE-2026-23627) are SQL injections in the Patient REST API and immunization search that allow credential-hash extraction and RCE with FILE privileges on the database.
Why does it matter?
It's a working data point for AI-driven vulnerability discovery beating a dedicated human team — for comparison, the 2018 Project Insecurity audit of OpenEMR generated 23 disclosures over a sustained effort. The fixes shipped in OpenEMR 8.0.0 on 2026-02-11. Anyone running OpenEMR below 8.0.0 should patch immediately.
Who is it for?
healthcare CISOs, application security teams, OpenEMR operators
Try it
Upgrade any OpenEMR install to 8.0.0+