CVE-2026-32123

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for group encounters are broken because the code only consults form_encounter for sensitivity, while group encounters store sensitivity in form_groups_encounter. As a result, sensitivity is never correctly applied to group encounters, and users who should be restricted from viewing sensitive (e.g. mental health) encounters can view them. This vulnerability is fixed in 8.0.0.1.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/openemr/openemr/security/advisories/GHSA-j4mm-wg7q-v57q	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*

History

13 Mar 2026, 15:47

Type	Values Removed	Values Added
Summary		(es) OpenEMR es una aplicación de gestión de registros médicos electrónicos y de práctica médica de código abierto y gratuita. Antes de 8.0.0.1, las comprobaciones de sensibilidad para los encuentros grupales están rotas porque el código solo consulta form_encounter para la sensibilidad, mientras que los encuentros grupales almacenan la sensibilidad en form_groups_encounter. Como resultado, la sensibilidad nunca se aplica correctamente a los encuentros grupales, y los usuarios a quienes se les debería restringir la visualización de encuentros sensibles (p. ej., de salud mental) pueden verlos. Esta vulnerabilidad está corregida en 8.0.0.1.
CPE		cpe:2.3:a:open-emr:openemr::::::::
First Time		Open-emr openemr Open-emr
References	~~() https://github.com/openemr/openemr/security/advisories/GHSA-j4mm-wg7q-v57q -~~	() https://github.com/openemr/openemr/security/advisories/GHSA-j4mm-wg7q-v57q - Exploit, Vendor Advisory

11 Mar 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 21:16

Updated : 2026-03-13 15:47

NVD link : CVE-2026-32123

Mitre link : CVE-2026-32123

CVE.ORG link : CVE-2026-32123

JSON object : View

Products Affected

open-emr

openemr

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-32123", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-11T21:16:18.170", "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-j4mm-wg7q-v57q", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for group encounters are broken because the code only consults form_encounter for sensitivity, while group encounters store sensitivity in form_groups_encounter. As a result, sensitivity is never correctly applied to group encounters, and users who should be restricted from viewing sensitive (e.g. mental health) encounters can view them. This vulnerability is fixed in 8.0.0.1."}, {"lang": "es", "value": "OpenEMR es una aplicaci\u00f3n de gesti\u00f3n de registros m\u00e9dicos electr\u00f3nicos y de pr\u00e1ctica m\u00e9dica de c\u00f3digo abierto y gratuita. Antes de 8.0.0.1, las comprobaciones de sensibilidad para los encuentros grupales est\u00e1n rotas porque el c\u00f3digo solo consulta form_encounter para la sensibilidad, mientras que los encuentros grupales almacenan la sensibilidad en form_groups_encounter. Como resultado, la sensibilidad nunca se aplica correctamente a los encuentros grupales, y los usuarios a quienes se les deber\u00eda restringir la visualizaci\u00f3n de encuentros sensibles (p. ej., de salud mental) pueden verlos. Esta vulnerabilidad est\u00e1 corregida en 8.0.0.1."}], "lastModified": "2026-03-13T15:47:50.460", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "136D07EE-9108-423B-AD86-E9E901940C17", "versionEndExcluding": "8.0.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}