CVE-2026-32120
IDOR Vulnerability in OpenEMR Fee Sheet Allows Data Manipulation
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with fee sheet ACL access to delete, modify, or read drug_sales records belonging to arbitrary patients by manipulating form fields without proper authorization checks.
This unauthorized access and modification of patient-related data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal health information to ensure confidentiality and integrity.
Therefore, exploitation of this vulnerability may result in non-compliance with these standards due to improper access controls and potential exposure or alteration of sensitive patient data.
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) in OpenEMR's fee sheet product save logic prior to version 8.0.0.3. It allows any authenticated user with fee sheet access control to delete, modify, or read drug_sales records of arbitrary patients by manipulating a hidden form field called prod[][sale_id]. The save() method uses the user-supplied sale_id in multiple SQL queries without verifying that the record belongs to the current patient and encounter.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated user to access or alter drug sales records of patients they should not have access to. This could lead to unauthorized disclosure or modification of sensitive medical data, potentially compromising patient privacy and data integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenEMR to version 8.0.0.3 or later, which contains a patch addressing the Insecure Direct Object Reference (IDOR) issue in the fee sheet product save logic.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and analyzing HTTP POST requests to the fee sheet save functionality in OpenEMR, specifically looking for manipulation of the hidden form field named `prod[][sale_id]`.
To detect potential exploitation attempts, you can inspect web server logs or capture network traffic for POST requests to the fee sheet save endpoint and check if the `sale_id` values in the `prod` array do not correspond to the current patient's records.
Suggested commands include using tools like `grep` or `awk` on web server logs to find suspicious POST data, or using packet capture tools like `tcpdump` or `Wireshark` to filter HTTP POST requests containing `prod[][sale_id]` parameters.
- Example grep command to search web server logs for suspicious `sale_id` manipulation: `grep -i 'prod\[.*\]\[sale_id\]' /var/log/apache2/access.log`
- Using tcpdump to capture HTTP POST requests to the fee sheet save endpoint: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'prod\[.*\]\[sale_id\]'`
Additionally, reviewing application logs or enabling detailed logging in OpenEMR for fee sheet save operations may help identify unauthorized access or modification attempts involving mismatched `sale_id` values.