For site administrators of OpenEMR please update your PHP to the latest security patch releases in order to mitigate a remote code execution attack.
This is not a security vulnerability in OpenEMR, but is in the php-soap extension. All versions of OpenEMR are vulnerable unless you’ve specifically disabled the php-soap extension on your OpenEMR installation. The affected php releases include PHP versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. The mbstring vulnerability strictly impacts versions before 8.4.21 and 8.5.6.
First, thank you to those who raised awareness about the PHP SOAP extension vulnerability. We’re running OpenEMR 8.0.0.3 in Docker on Windows and wanted to proactively disable the extension rather than rely on remembering to patch PHP later.
After some trial and error, here’s the method that worked reliably for us:
What we did:
Created a small disabled config file in our project:
Path: php-config/01_soap.ini.disabled
Added the following content to the file:
ini
; SOAP extension disabled for security (May 2026)
;extension=soap
;extension=soap.so
Mounted it in docker-compose.yml so it replaces the original file at container startup:
After restarting with docker compose down && docker compose up -d, we confirmed:
soap no longer appears in php -m
The mounted file inside the container shows our commented-out version
This approach survives container restarts and docker compose down. It’s simple and doesn’t require modifying the official image or using custom entrypoint commands.
Hoping this helps someone else running OpenEMR in Docker who wants to reduce their attack surface. Grateful for this community.