https://moltenbit.net/tags/openreception/ Recent content in Openreception on moltenbit Hugo -- 0.147.2 en-us Tue, 30 Jun 2026 00:00:00 +0200 https://moltenbit.net/posts/auditing-openreception/ Tue, 30 Jun 2026 00:00:00 +0200 https://moltenbit.net/posts/auditing-openreception/ <p>OpenReception is an open-source appointment booking platform aimed at medical practices, with a self-hosted edition and a commercially hosted multi-tenant version. Its 1.0 release was covered as an open-source alternative to commercial schedulers like Doctolib by <a href="https://www.heise.de/en/news/OpenReception-1-0-Open-source-appointment-scheduling-for-doctor-s-offices-ready-11278805.html">heise</a> and <a href="https://www.golem.de/news/openreception-offene-doctolib-alternative-ist-fertig-2605-208278.html">Golem</a>. Its selling point is end-to-end encryption: patient data is supposed to stay readable only to the staff it is meant for, while the server holds ciphertext it cannot decrypt. A single instance can host many independent practices, and it ships as a SvelteKit application backed by PostgreSQL.</p> <p>I audited the released code shortly after the 1.0 line shipped and ran a local instance from the official docker-compose to validate findings. Over the audit I reported 16 vulnerabilities. All of them were assigned CVEs, four were rated Critical, and all were fixed before public disclosure on 2026-05-20.</p> <p>Two of the four hand an attacker full administrative control, one lets them log in as anyone, and the last quietly defeats the encryption the whole product is built on.</p>