Description
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an improper access control on the Import/Export functionality, allowing unauthorized users to perform import and export actions through direct request manipulation despite UI restrictions. This can lead to unauthorized data access, bulk data extraction, and manipulation of system data. Version 8.0.0.3 contains a fix.
Published: 2026-03-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Import/Export Access
Action: Patch
AI Analysis

Impact

OpenEMR versions prior to 8.0.0.3 contain an improper access control that allows users who are not granted permission to import or export through the UI to perform those actions by manipulating requests directly. This flaw can lead to unauthorized data access, bulk data extraction, or manipulation of system data, posing a risk to confidentiality and integrity of patient information.

Affected Systems

The vulnerability affects the openemr openemr application. All releases before version 8.0.0.3 are affected, while version 8.0.0.3 incorporates a fix.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The flaw is not in the CISA KEV catalog. Based on the description, the attack vector is inferred to be direct request manipulation over the web interface, which may be carried out remotely by an attacker with network access to the application.

Generated by OpenCVE AI on March 26, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0.3 or later to apply the vendor fix.

Generated by OpenCVE AI on March 26, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Thu, 26 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an improper access control on the Import/Export functionality, allowing unauthorized users to perform import and export actions through direct request manipulation despite UI restrictions. This can lead to unauthorized data access, bulk data extraction, and manipulation of system data. Version 8.0.0.3 contains a fix.
Title OpenEMR has Improper ACL On Import/Export Popup
Weaknesses CWE-285
CWE-425
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-28T01:52:07.012Z

Reserved: 2026-03-25T15:29:04.746Z

Link: CVE-2026-34051

cve-icon Vulnrichment

Updated: 2026-03-28T01:51:55.975Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T00:16:40.850

Modified: 2026-03-26T16:17:42.807

Link: CVE-2026-34051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:16Z

Weaknesses