Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the fee sheet product save logic (`library/FeeSheet.class.php`) allows any authenticated user with fee sheet ACL access to delete, modify, or read `drug_sales` records belonging to arbitrary patients by manipulating the hidden `prod[][sale_id]` form field. The `save()` method uses the user-supplied `sale_id` in five SQL queries (SELECT, UPDATE, DELETE) without verifying that the record belongs to the current patient and encounter. Version 8.0.0.3 contains a patch.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized manipulation of patient drug sales records via IDOR
Action: Apply Patch
AI Analysis

Impact

An Insecure Direct Object Reference exists in OpenEMR’s fee sheet product save logic, allowing a user with fee sheet ACL access to delete, modify, or read drug sales records for any patient by changing a hidden form field. The application accepts the supplied record identifier without verifying ownership or patient context, so the integrity of drug sales data can be compromised and confidential patient information may be exposed.

Affected Systems

The vulnerability affects OpenEMR installations before version 8.0.0.3. The patch included in the 8.0.0.3 release eliminates the IDOR flaw. Systems running the affected code base should be identified and upgraded to a non‑vulnerable release.

Risk and Exploitability

The CVSS score indicates a moderate severity of 6.5 and the EPSS score is reported as below 1 %, suggesting low current exploit probability. The vulnerability is not listed in CISA’s KEV catalog. The attack requires authentication and possession of fee sheet ACL rights; the likely vectors include web form manipulation or replay of valid requests. Exploitation would enable attackers to compromise patient data integrity and confidentiality.

Generated by OpenCVE AI on March 26, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0.3 or later to apply the vendor patch
  • Verify that users have only the necessary fee sheet ACL privileges
  • Monitor web requests for anomalous sale_id values that do not match the current patient context

Generated by OpenCVE AI on March 26, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
References

Wed, 25 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the fee sheet product save logic (`library/FeeSheet.class.php`) allows any authenticated user with fee sheet ACL access to delete, modify, or read `drug_sales` records belonging to arbitrary patients by manipulating the hidden `prod[][sale_id]` form field. The `save()` method uses the user-supplied `sale_id` in five SQL queries (SELECT, UPDATE, DELETE) without verifying that the record belongs to the current patient and encounter. Version 8.0.0.3 contains a patch.
Title OpenEMR has IDOR in Fee Sheet Product Save
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T15:02:55.022Z

Reserved: 2026-03-10T22:19:36.544Z

Link: CVE-2026-32120

cve-icon Vulnrichment

Updated: 2026-03-26T14:45:13.168Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T23:17:09.510

Modified: 2026-03-26T18:03:30.737

Link: CVE-2026-32120

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:30Z

Weaknesses