Authorization Flaw in OpenEMR Affects Medical Practice Management
CVE-2026-32126

7.1HIGH

Key Information:

Vendor: Openemr
Status: Openemr
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-32126?

OpenEMR, a widely used electronic health records and medical practice management solution, has a significant authorization flaw prior to version 8.0.0.1. An issue within the ControllerRouter::route() function restricts the admin/super user ACL check to only certain controllers that already implement their own internal authorization. Consequently, this oversight permits any authenticated user to bypass crucial administrative operations. This includes the suppression of clinical decision support alerts, modification of clinical plans, and editing of rule configurations, all of which should be strictly reserved for administrators. The vulnerability has been resolved in version 8.0.0.1.

Affected Version(s)

openemr < 8.0.0.1

References

https://github.com/openemr/openemr/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 10, 2026

CVE-2026-32126 Data

JSON

Openemr

What is CVE-2026-32126?

Affected Version(s)

References

CVSS V3.1

Timeline