CVE-2026-32123
Received Received - Intake
Improper Access Control in OpenEMR Group Encounters Disclosure

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for group encounters are broken because the code only consults form_encounter for sensitivity, while group encounters store sensitivity in form_groups_encounter. As a result, sensitivity is never correctly applied to group encounters, and users who should be restricted from viewing sensitive (e.g. mental health) encounters can view them. This vulnerability is fixed in 8.0.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32123
EUVD
EUVD-2026-11393
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32123 is a high-severity vulnerability in OpenEMR versions prior to 8.0.0.1 that involves improper enforcement of sensitivity access controls for group therapy encounters.

The vulnerability occurs because the software only checks the sensitivity level in the form_encounter table, while group encounters store their sensitivity data in a different table called form_groups_encounter.

As a result, sensitivity restrictions meant to protect sensitive group encounter data, such as mental health information, are not applied correctly, allowing unauthorized users to view this sensitive information.

The issue lies in the method responsible for retrieving sensitivity information, which fails to check the correct table for group encounters, leading to incorrect authorization decisions.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of protected health information (PHI) related to group therapy and other sensitive encounters.

Users who should be restricted from viewing sensitive data, such as mental health records, may gain access to this information due to the broken sensitivity checks.

The impact is primarily on confidentiality, as sensitive patient data can be exposed to users without the necessary permissions.

The vulnerability has a network attack vector, low attack complexity, requires low privileges, and no user interaction, making it relatively easy for an attacker with some access to exploit.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by verifying whether users without appropriate sensitivity permissions can access sensitive group encounter data in OpenEMR versions prior to 8.0.0.1.

A practical detection method involves configuring a group encounter with a restricted sensitivity level, then logging in as a user lacking permission for that sensitivity and attempting to access the sensitive encounter data. If access is granted, the system is vulnerable.

From a technical perspective, reviewing the source code, particularly the method responsible for retrieving sensitivity (e.g., getSensitivity() in src/Services/EncounterService.php), can help detect if the sensitivity check only queries the form_encounter table and ignores form_groups_encounter.

There are no specific network or system commands provided in the available resources to detect this vulnerability automatically.

Mitigation Strategies

The immediate mitigation step is to upgrade OpenEMR to version 8.0.0.1 or later, where the sensitivity check logic has been corrected to properly enforce access control for group encounters.

Until the upgrade can be applied, restrict access to group encounter data for users who should not have permission to view sensitive information, as a temporary workaround.

Review and audit user permissions related to sensitivity levels to ensure that unauthorized users do not have access to sensitive group encounter data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32123. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart