CVE-2026-32126
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
2Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, an inverted boolean condition in ControllerRouter::route() causes the admin/super ACL check to be enforced only for controllers that already have their own internal authorization (review, log), while leaving all other CDR controllers - alerts, ajax, edit, add, detail, browse - accessible to any authenticated user. This allows any logged-in user to suppress clinical decision support alerts system-wide, delete or modify clinical plans, and edit rule configurations - all operations intended to require administrator privileges. This vulnerability is fixed in 8.0.0.1.
Analysis
OpenEMR versions prior to 8.0.0.1 contain an inverted boolean condition in the access control logic that allows any authenticated user to access administrative CDR controllers (alerts, ajax, edit, add, detail, browse) intended for administrators only. Affected users can suppress clinical decision support alerts, delete or modify clinical plans, and edit rule configurations without proper authorization. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: inventory all OpenEMR instances and verify versions pre-8.0.0.1; disable non-admin user access to clinical modules if possible. Within 7 days: implement compensating controls (WAF rules blocking /admin/ routes for non-admin roles, network segmentation isolating OpenEMR, enable audit logging on CDR controllers). …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today