Description
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain a Command injection vulnerability in the backup functionality that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the backup functionality. Version 8.0.0.2 fixes the issue.
Published: 2026-03-19
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a command injection flaw in the backup feature of OpenEMR. Because inputs are not properly validated, an attacker who can authenticate to the system can supply arbitrary commands that the server will execute. This allows the attacker to take full control of the host, compromising confidentiality, integrity, and availability of the entire electronic health record environment.

Affected Systems

OpenEMR products before version 8.0.0.2 are affected. The vulnerability exists in all releases prior to the referenced fix, and affects installations of the openemr application regardless of deployment size or geography.

Risk and Exploitability

The CVSS score is 9.1, indicating high severity and a high likelihood of damaging exploitation. The EPSS score is below 1%, suggesting that active exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog, but the combination of remote command execution with required authentication means that only users with legitimate access can abuse the flaw. An internal attacker or a compromised legitimate user can trigger the exploit through the backup functionality. The exploit path requires that the user have permission to access the backup interface and that the application is running a vulnerable version before 8.0.0.2.

Generated by OpenCVE AI on March 20, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0.2 or later to apply the fix for the command‑injection vulnerability.

Generated by OpenCVE AI on March 20, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Thu, 19 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain a Command injection vulnerability in the backup functionality that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the backup functionality. Version 8.0.0.2 fixes the issue.
Title OpenEMR has Remote Code Execution in backup functionality
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:11:09.011Z

Reserved: 2026-03-11T14:47:05.684Z

Link: CVE-2026-32238

cve-icon Vulnrichment

Updated: 2026-03-20T17:09:04.086Z

cve-icon NVD

Status : Modified

Published: 2026-03-19T20:16:14.057

Modified: 2026-03-20T19:16:15.603

Link: CVE-2026-32238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:55:12Z

Weaknesses