AI Analysis Identifies 38 Flaws in OpenEMR Platform
An automated, AI-driven analysis of the most widely used electronic medical records platform uncovered 38 previously unknown vulnerabilities, including two critical flaws with maximum CVSS severity scores of 10.0. The vulnerabilities were identified as part of a collaboration between AISLE, an autonomous, AI-native application security platform, and OpenEMR, an open source and U.S. government-certified platform, the purpose of which was to identify and remediate critical vulnerabilities in the platform before they could be exploited by malicious actors.
OpenEMR is used by more than 100,000 healthcare providers worldwide, and the platform serves more than 200 million patients globally. OpenEMR is free open source software with no licensing fees and relatively low operating costs, making it a popular choice for under-resourced healthcare providers. The platform is widely used in the United States.
The analysis by AISLE resulted in 39 GitHub Security Advisory (GHSA) vulnerabilities in Q1, 2026, including critical, high, and moderate severity vulnerabilities, with 38 of the 39 vulnerabilities receiving CVE designations. The two most serious vulnerabilities could potentially have been exploited to access and rewrite patient and provider data, compromise the full database, and achieve remote code execution on the server, allowing ePHI to be exfiltrated at scale. One of the maximum severity flaws could be exploited by a remote attacker with no authentication on any Internet-reachable OpenEMR instance.
The vulnerabilities identified by AISLE accounted for more than half of all OpenEMR Security vulnerabilities published on GitHub in Q1, 2026. “These disclosures reflect the growing threats that healthcare institutions face in the age of AI,” said Stanislav Fort, co-founder and chief scientist at AISLE. “Because human lives and identities are at stake, few issues are as critical as ensuring that medical codebases are secure. AISLE’s collaboration with OpenEMR shows that AI-driven analysis can help dedicated, lean teams defend vital systems and remain compliant.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Threat actors are increasingly using AI to analyze code and identify exploitable vulnerabilities, so it is vital for defenders to also use AI to accelerate the discovery and remediation of vulnerabilities. Through the partnership with AISLE, the OpenEMR maintainers were able to fix the vulnerabilities before they could be exploited and have now begun a partnership with AISLE to secure the OpenEMR for years to come.
AISLE generated a repository-native fix proposal OpenEMR’s own abstractions, authorization patterns, and sanitization helpers for each of the 38 CVEs. AISLE produced the fix for one of the critical vulnerabilities, and for other critical flaws, OpenEMR maintainers adopted AISLE’s proposed remediation into the final fix. The OpenEMR maintainers now have access to AISLE’s AI-native AppSec platform, which allows them to automatically detect, triage, and fix software vulnerabilities. OpenEMR can now focus on hardening defenses without having to employ additional team members. In addition to using the platform to identify vulnerabilities in production code, OpenEMR is using the AISLE vulnerability analyzer to analyze code and identify security issues before they reach production.
