CVE-2026-32123 - Vulnerability Details

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for group encounters are broken because the code only consults form_encounter for sensitivity, while group encounters store sensitivity in form_groups_encounter. As a result, sensitivity is never correctly applied to group encounters, and users who should be restricted from viewing sensitive (e.g. mental health) encounters can view them. This vulnerability is fixed in 8.0.0.1.

Published: 2026-03-11

Score: 7.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in OpenEMR affects group encounter handling. Prior to 8.0.0.1, the application consults only form_encounter for sensitivity, while group encounters store sensitivity in form_groups_encounter, causing the ACL to be bypassed. This allows users who should be denied access to view sensitive records, such as mental health encounters, leading to a confidentiality breach (key detail from CVE description).

Affected Systems

Affected systems are OpenEMR versions earlier than 8.0.0.1. The vendor is OpenEMR (openemr:openemr). No additional version qualifiers are provided beyond the pre‑8.0.0.1 range (key detail from CVE description).

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present (key details from SCORES). The vulnerability is not listed in the CISA KEV catalog (key detail from KEV). An authenticated user who can view group encounters can exploit the flaw, as the ACL check occurs post‑authentication and lacks proper sensitivity enforcement (key detail from CVE description).

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

openemr

affected

Version	Status	Constraints
`< 8.0.0.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Openemr

100%

Version	Status	Scheme	Platform
`[0,8.0.0.1)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OpenEMR to version 8.0.0.1 or later (official fix, key detail from CVE description).
If upgrading is not immediately possible, restrict user roles so they cannot access group encounters or disable group encounter creation until the patch is applied (recommended temporary measure).

Generated by OpenCVE AI on March 17, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00099.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/openemr/openemr/security/advisories/GHSA-j4mm-wg7q-v57q

History

Fri, 13 Mar 2026 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Open-emr Open-emr openemr
CPEs		cpe:2.3:a:open-emr:openemr::::::::
Vendors & Products		Open-emr Open-emr openemr

Thu, 12 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 12 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openemr Openemr openemr
Vendors & Products		Openemr Openemr openemr

Wed, 11 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for group encounters are broken because the code only consults form_encounter for sensitivity, while group encounters store sensitivity in form_groups_encounter. As a result, sensitivity is never correctly applied to group encounters, and users who should be restricted from viewing sensitive (e.g. mental health) encounters can view them. This vulnerability is fixed in 8.0.0.1.
Title		OpenEMR: Therapy Group Sensitivity ACL No Longer Enforced
Weaknesses		CWE-863
References		https://github.com/openemr/openemr/security/advisories/GHSA-j4mm-wg7q-v57q
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

Open-emr Openemr

Openemr Openemr

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-11T20:49:38.886Z

Updated: 2026-03-12T14:10:53.003Z

Reserved: 2026-03-10T22:19:36.544Z

Link: CVE-2026-32123

Vulnrichment

Updated: 2026-03-12T14:10:45.466Z

NVD

Status : Analyzed

Published: 2026-03-11T21:16:18.170

Modified: 2026-03-13T15:47:50.460

Link: CVE-2026-32123

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-20T15:37:01Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object