Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
OpenEMR Exposes Billing Information to Unauthorized Users
CVE-2026-32122
Summary
OpenEMR's Claim File Tracker feature in versions before 8.0.0.1 allows users with regular access to view sensitive billing information, such as claim IDs and payer details, without proper permission. This means that users who shouldn't have access to this data can still view it. To fix this, update to version 8.0.0.1 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| open-emr | openemr | <= 8.0.0.1 | – |
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the Claim File Tracker feature exposes an AJAX endpoint that returns billi...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the Claim File Tracker feature exposes an AJAX endpoint that returns billing claim metadata (claim IDs, payer info, transmission logs). The endpoint does not enforce the same ACL as the main billing/claims workflow, so authenticated users without appropriate billing permissions can access this data. This vulnerability is fixed in 8.0.0.1.
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026