CVE-2026-34053
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
2Tags
Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless of role, to irreversibly delete procedure orders, answers, and specimens belonging to any patient in the system. Version 8.0.0.3 patches the issue.
Analysis
OpenEMR versions prior to 8.0.0.3 contain a missing authorization vulnerability in the AJAX deletion endpoint that allows any authenticated user, regardless of assigned role or privileges, to irreversibly delete critical medical data including procedure orders, answers, and specimens for any patient in the system. This is a severe integrity violation in a healthcare application handling protected health information. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all OpenEMR deployments and confirm versions below 8.0.0.3; restrict AJAX endpoint access via network controls or WAF rules; audit recent deletion logs for suspicious activity. Within 7 days: Implement role-based access controls at the network layer; enable comprehensive audit logging; conduct incident investigation if deletions are detected. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today