CVE-2026-32123
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for group encounters are broken because the code only consults form_encounter for sensitivity, while group encounters store sensitivity in form_groups_encounter. As a result, sensitivity is never correctly applied to group encounters, and users who should be restricted from viewing sensitive (e.g. mental health) encounters can view them. This vulnerability is fixed in 8.0.0.1.
Analysis
OpenEMR versions prior to 8.0.0.1 fail to properly enforce access controls on group encounters due to sensitivity checks only querying the wrong database table, allowing authenticated users to view restricted medical records such as mental health encounters they should not access. The vulnerability affects multi-user deployments where role-based restrictions are relied upon to protect sensitive patient information. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit access logs for group encounters and identify any unauthorized data access; notify legal/compliance of potential PHI exposure. Within 7 days: Implement compensating controls by restricting group encounter functionality at the application level or network access layer until patched; conduct risk assessment of affected patient records. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today