Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
OpenEMR: Unprivileged users can delete or modify critical health records
CVE-2026-32126
Summary
A security issue in older OpenEMR versions allows anyone with a login to delete or modify sensitive health records and clinical plans, which can cause serious problems for patients and medical practices. To fix this, update to version 8.0.0.1 or later. If you can't update immediately, consider limiting access to only necessary staff.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| open-emr | openemr | <= 8.0.0.1 | – |
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, an inverted boolean condition in ControllerRouter::route() causes the admi...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, an inverted boolean condition in ControllerRouter::route() causes the admin/super ACL check to be enforced only for controllers that already have their own internal authorization (review, log), while leaving all other CDR controllers — alerts, ajax, edit, add, detail, browse — accessible to any authenticated user. This allows any logged-in user to suppress clinical decision support alerts system-wide, delete or modify clinical plans, and edit rule configurations — all operations intended to require administrator privileges. This vulnerability is fixed in 8.0.0.1.
nvd CVSS3.1
7.1
Vulnerability type
CWE-862
Missing Authorization
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026