Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
OpenEMR 7.x and prior: Sensitive patient info accessible to unauthorized users
CVE-2026-32123
Summary
OpenEMR, a free medical record system, allows users to view sensitive patient information they shouldn't access. This happens because of a flaw in the system's checks for who can view what. Update to the latest version to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| open-emr | openemr | <= 8.0.0.1 | – |
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for group encounters are broken because the code only c...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for group encounters are broken because the code only consults form_encounter for sensitivity, while group encounters store sensitivity in form_groups_encounter. As a result, sensitivity is never correctly applied to group encounters, and users who should be restricted from viewing sensitive (e.g. mental health) encounters can view them. This vulnerability is fixed in 8.0.0.1.
nvd CVSS3.1
7.7
Vulnerability type
CWE-863
Incorrect Authorization
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026