What is the CVSS score of CVE-2026-32123?

CVE-2026-32123 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Openemr are affected by CVE-2026-32123?

OpenEMR installations are vulnerable to unauthorized access to sensitive group encounter records due to broken access controls that fail to enforce privacy restrictions on group-based medical data.

How to fix or mitigate CVE-2026-32123?

Within 24 hours: Audit access logs for group encounters and identify any unauthorized data access; notify legal/compliance of potential PHI exposure. Within 7 days: Implement compensating controls by restricting group encounter functionality at the application level or network access layer until patched; conduct risk assessment of affected patient records. Within 30 days: Develop and execute remediation plan including user re-training, access control review, and deployment of patched OpenEMR 8.0.0.1 or later in a controlled testing environment before production rollout.

Openemr CVE-2026-32123

HIGH

Incorrect Authorization (CWE-863)

2026-03-11 security-advisories@github.com

Authentication Bypass Openemr

7.7

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.7 HIGH

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:07 vuln.today

CVE Published

Mar 11, 2026 - 21:16 nvd

HIGH 7.7

DescriptionGitHub Advisory

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for group encounters are broken because the code only consults form_encounter for sensitivity, while group encounters store sensitivity in form_groups_encounter. As a result, sensitivity is never correctly applied to group encounters, and users who should be restricted from viewing sensitive (e.g. mental health) encounters can view them. This vulnerability is fixed in 8.0.0.1.

AnalysisAI

OpenEMR versions prior to 8.0.0.1 fail to properly enforce access controls on group encounters due to sensitivity checks only querying the wrong database table, allowing authenticated users to view restricted medical records such as mental health encounters they should not access. The vulnerability affects multi-user deployments where role-based restrictions are relied upon to protect sensitive patient information. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as restricted user

Delivery

Access group encounter interface

Exploit

Query form_groups_encounter table

Execution

Retrieve sensitive encounter data

Impact

View restricted mental health records

Access

Authenticate as restricted user

Delivery

Access group encounter interface

Exploit

Query form_groups_encounter table

Execution

Retrieve sensitive encounter data

Impact

View restricted mental health records

Vulnerability AssessmentAI

Exploitation	OpenEMR versions prior to 8.0.0.1 with group encounters enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.7 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to compromise the affected system.
Remediation	Fixed in version 8.0.0.1.. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit access logs for group encounters and identify any unauthorized data access; notify legal/compliance of potential PHI exposure. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-32123 vulnerability details – vuln.today

Back

Openemr CVE-2026-32123

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code