Description
OpenEMR is a free and open source electronic health records and medical practice management application. A Broken Access Control vulnerability in OpenEMR up to and including version 8.0.0.3 allows low-privilege users to view and download Ensora eRx error logs without proper authorization checks. This flaw compromises system confidentiality by exposing sensitive information, potentially leading to unauthorized data disclosure and misuse. As of time of publication, no known patches versions are available.
Published: 2026-03-25
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of sensitive medical records via low‑privilege access to error logs
Action: Assess Impact
AI Analysis

Impact

OpenEMR has a broken access control flaw that permits users with low‑level privileges to view and download Ensora eRx error logs. The logs contain confidential patient and prescription data, so the vulnerability results in the unauthorized disclosure of sensitive information. This is a classic privilege‑escalation problem (CWE‑285) combined with accidental data exposure (CWE‑425).

Affected Systems

The flaw affects the OpenEMR electronic health record system, specifically all releases up to and including version 8.0.0.3. Any deployment of those versions that stores Ensora eRx error logs is at risk. No patched version is currently available, so installations remain vulnerable until the vendor publishes a fix.

Risk and Exploitability

The CVSS score of 7.7 indicates a high‑to‑medium severity. EPSS is under 1 %, suggesting a low probability of exploitation at this time, and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker must be a legitimate user with low privileges in the system, making the threat most acute for organizations with many low‑privilege accounts that are not properly isolated. If exploited, the attacker could read confidential medical information, potentially leading to privacy violations and regulatory noncompliance.

Generated by OpenCVE AI on March 26, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Seek and apply an updated OpenEMR release that fixes the access control issue (once available).
  • If an update is not yet released, reconfigure access controls so that only admin or privileged users can view or download Ensora eRx error logs, for example by adjusting permissions or role settings.
  • Temporarily disable or remove the Ensora eRx error log feature until a patch is available, to prevent accidental data exposure.
  • Review user accounts and reduce privileges where appropriate to limit potential data exposure by low‑level users.
  • Continuously monitor system logs for unauthorized access attempts and keep the overall system updated with the latest security patches.

Generated by OpenCVE AI on March 26, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. A Broken Access Control vulnerability in OpenEMR up to and including version 8.0.0.3 allows low-privilege users to view and download Ensora eRx error logs without proper authorization checks. This flaw compromises system confidentiality by exposing sensitive information, potentially leading to unauthorized data disclosure and misuse. As of time of publication, no known patches versions are available.
Title OpenEMR has a Privilege Escalation that Allows a Low-Level User to View Admin-Only Data
Weaknesses CWE-285
CWE-425
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-28T01:53:13.991Z

Reserved: 2026-03-25T15:29:04.747Z

Link: CVE-2026-34056

cve-icon Vulnrichment

Updated: 2026-03-28T01:53:08.881Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T00:16:41.400

Modified: 2026-03-26T16:15:22.680

Link: CVE-2026-34056

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:13Z

Weaknesses