Skip to main content

Openemr CVE-2026-32126

HIGH
Missing Authorization (CWE-862)
2026-03-11 security-advisories@github.com
Authentication Bypass Openemr
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:07 vuln.today
CVE Published
Mar 11, 2026 - 21:16 nvd
HIGH 7.1

DescriptionGitHub Advisory

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, an inverted boolean condition in ControllerRouter::route() causes the admin/super ACL check to be enforced only for controllers that already have their own internal authorization (review, log), while leaving all other CDR controllers - alerts, ajax, edit, add, detail, browse - accessible to any authenticated user. This allows any logged-in user to suppress clinical decision support alerts system-wide, delete or modify clinical plans, and edit rule configurations - all operations intended to require administrator privileges. This vulnerability is fixed in 8.0.0.1.

AnalysisAI

OpenEMR versions prior to 8.0.0.1 contain an inverted boolean condition in the access control logic that allows any authenticated user to access administrative CDR controllers (alerts, ajax, edit, add, detail, browse) intended for administrators only. Affected users can suppress clinical decision support alerts, delete or modify clinical plans, and edit rule configurations without proper authorization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege user
Exploit
Access CDR controllers without admin ACL
Execution
Modify clinical plans or suppress alerts
Impact
Compromise clinical decision support
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Valid authenticated user account (any privilege level below admin/super) accessing OpenEMR versions prior to 8.0.0.1 with CDR controllers (alerts, ajax, edit, add, detail, browse) exposed through inverted boolean ACL check in ControllerRouter::route(). Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.1 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker (requires authentication) could exploit this vulnerability to compromise the affected system.
Remediation Fixed in version 8.0.0.1.. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: inventory all OpenEMR instances and verify versions pre-8.0.0.1; disable non-admin user access to clinical modules if possible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-32126 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy