PHP
CVE-2026-32120
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the fee sheet product save logic (library/FeeSheet.class.php) allows any authenticated user with fee sheet ACL access to delete, modify, or read drug_sales records belonging to arbitrary patients by manipulating the hidden prod[][sale_id] form field. The save() method uses the user-supplied sale_id in five SQL queries (SELECT, UPDATE, DELETE) without verifying that the record belongs to the current patient and encounter. Version 8.0.0.3 contains a patch.
AnalysisAI
An Insecure Direct Object Reference (IDOR) vulnerability exists in OpenEMR versions prior to 8.0.0.3 within the fee sheet product save logic that allows authenticated users with fee sheet ACL permissions to arbitrarily read, modify, or delete drug_sales records belonging to any patient by manipulating the hidden prod[][sale_id] form field. The vulnerability stems from insufficient authorization checks in the FeeSheet.class.php library, where user-supplied sale_id values are used directly in SQL queries without verifying ownership of the record to the current patient and encounter. With a CVSS score of 6.5 and confirmed patch availability in version 8.0.0.3, this represents a moderate-severity data integrity and confidentiality risk affecting healthcare data.
Technical ContextAI
The vulnerability resides in the OpenEMR application (cpe:2.3:a:openemr:openemr:*:*:*:*:*:*:*:*), specifically within the library/FeeSheet.class.php file's save() method. OpenEMR is a PHP-based electronic health records and medical practice management system. The root cause is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), where the application fails to enforce proper authorization boundaries at the object level. The save() method processes five SQL queries (SELECT, UPDATE, DELETE operations) that directly incorporate user-controlled sale_id parameters from hidden form fields without server-side validation that the sale_id belongs to the authenticated user's current patient context or encounter. This is a classic IDOR vulnerability where the indirect reference (sale_id) can be enumerated or manipulated to access records outside the user's intended authorization scope.
RemediationAI
Immediately upgrade OpenEMR to version 8.0.0.3 or later, which contains the authoritative patch that adds proper ownership verification to the FeeSheet.class.php save() method. Apply the specific patch from commit c5b4dd8caf2af70617cc58d39188621ed90543dc if immediate full upgrade is not feasible. As a temporary compensating control pending patching, restrict fee sheet ACL access to only trusted administrative users and implement detailed audit logging of all fee sheet modifications including sale_id changes. Network-level segmentation should ensure OpenEMR is only accessible to authorized staff via VPN or internal networks. Review audit logs for any suspicious fee sheet modifications that may indicate prior exploitation, particularly cross-patient or cross-encounter drug sales record changes. After patching, conduct a full audit of drug_sales records to detect any unauthorized modifications.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today