Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, an inverted boolean condition in ControllerRouter::route() causes the admin/super ACL check to be enforced only for controllers that already have their own internal authorization (review, log), while leaving all other CDR controllers — alerts, ajax, edit, add, detail, browse — accessible to any authenticated user. This allows any logged-in user to suppress clinical decision support alerts system-wide, delete or modify clinical plans, and edit rule configurations — all operations intended to require administrator privileges. This vulnerability is fixed in 8.0.0.1.
Published: 2026-03-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

An inverted boolean condition in OpenEMR's ControllerRouter::route() causes the admin/super ACL check to be applied only to controllers that already perform internal authorization, while leaving other clinical decision support (CDR) controllers—such as alerts, ajax, edit, add, detail, and browse—accessible to any authenticated user. The flaw permits logged‑in users to suppress system‑wide alerts, delete or modify clinical plans, and edit rule configurations that should be restricted to administrators. The vulnerability represents a breach of access control, identified as CWE‑862.

Affected Systems

All OpenEMR installations using version 8.0.0.0 or earlier are vulnerable. The vendor, openemr, lists OpenEMR as the affected product, and the issue is fixed in release 8.0.0.1.

Risk and Exploitability

The CVSS v3 score of 7.1 indicates moderate severity, while the EPSS score of less than 1% shows a low likelihood of widespread exploitation. The flaw requires only authenticated access and does not grant privilege escalation on the host; it is not listed in CISA's KEV catalog, meaning no public exploits are documented. Exploitation is possible through any authenticated user session, allowing the attacker to modify critical clinical data.

Generated by OpenCVE AI on March 17, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official OpenEMR patch to version 8.0.0.1 or later to fix the vulnerability.
  • If patching cannot be performed immediately, restrict non‑admin users from accessing the affected CDR controllers; review role‑based access controls to prevent modification of alerts, plans, and rules.

Generated by OpenCVE AI on March 17, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 11 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, an inverted boolean condition in ControllerRouter::route() causes the admin/super ACL check to be enforced only for controllers that already have their own internal authorization (review, log), while leaving all other CDR controllers — alerts, ajax, edit, add, detail, browse — accessible to any authenticated user. This allows any logged-in user to suppress clinical decision support alerts system-wide, delete or modify clinical plans, and edit rule configurations — all operations intended to require administrator privileges. This vulnerability is fixed in 8.0.0.1.
Title OpenEMR: Inverted ACL Condition in CDR ControllerRouter Allows Any Authenticated User to Modify/Delete Clinical Rules and Plans
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T14:15:37.248Z

Reserved: 2026-03-10T22:19:36.545Z

Link: CVE-2026-32126

cve-icon Vulnrichment

Updated: 2026-03-12T14:15:29.505Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T21:16:18.720

Modified: 2026-03-13T15:46:41.717

Link: CVE-2026-32126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:59Z

Weaknesses